John Dennis wrote:
There are others, but selinux should only log
the AVCs in Permissive. Right? But the selinux system is actually doing
denials.
Just for clarification, setroubleshoot will still report a denial in
permissive mode because it is logged as a denial by the audit system,
however the action should still be permitted.
I am aware of that. The problem is the action IS being denied even in
Permissive mode.
There is an open bug report requesting the text in the setroubleshoot
message to be modified when the system is in permissive mode to say
"SELinux would have denied" instead of denied. We're going to be fixing
that, it's not quite as trivial as it seems because all the messages
have been translated into other languages so you can't just do a simple
string substitution and retain correct grammar in another language, but
we will be fixing this one way or another.
In theory if you're spam filtering is not working it shouldn't be
because SELinux is actually denying anything because you're in
permissive mode. I would first look elsewhere. I'm not saying it's
impossible it's SELinux, but because you're in permissive mode it's
very unlikely.
Again, I truly believe it is selinux.
For example, clamd tries to open a socket in /var/spool/amavisd. On my
Fedora 7 system I get:
root@gei ~]# l -Z /var/spool/amavisd/
drwx------ amavis amavis system_u:object_r:amavis_spool_t ./
drwxr-xr-x root root system_u:object_r:var_spool_t ../
srwxr-x--- amavis amavis system_u:object_r:amavis_var_run_t
amavisd.sock=
srwxrwxrwx amavis amavis
system_u:object_r:clamd_var_run_t clamd.sock=
drwx------ amavis amavis system_u:object_r:amavis_spool_t db/
drwx------ amavis amavis system_u:object_r:amavis_spool_t quarantine/
drwxr-x--- amavis amavis system_u:object_r:amavis_spool_t .razor/
drwx------ amavis amavis system_u:object_r:amavis_spool_t
.spamassassin/
drwx------ amavis amavis system_u:object_r:amavis_spool_t tmp/
[root@gei ~]# uname -a
Linux gei 2.6.23.1-21.fc7 #1 SMP Thu Nov 1 21:09:24 EDT 2007 i686 i686
i386 GNU/Linux
[root@gei ~]# getenforce
Enforcing
[root@gei ~]#
On the Fedora 8 system, I get:
[root@joe ~]# getenforce
Permissive
[root@joe ~]# l -Z /var/spool/amavisd/
drwx------ amavis amavis system_u:object_r:amavis_spool_t ./
drwxr-xr-x root root system_u:object_r:var_spool_t ../
srwxr-x--- amavis amavis system_u:object_r:amavis_var_run_t
amavisd.sock=
drwx------ amavis amavis system_u:object_r:amavis_spool_t db/
drwx------ amavis amavis system_u:object_r:amavis_spool_t quarantine/
drwxr-x--- amavis amavis system_u:object_r:amavis_spool_t .razor/
drwx------ amavis amavis system_u:object_r:amavis_spool_t
.spamassassin/
drwx------ amavis amavis system_u:object_r:amavis_spool_t tmp/
[root@joe ~]# uname -a
Linux joe 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686
i386 GNU/Linux
Notice that there is no socket created by clamd even in permissive
mode. The following is from the maillog:
Dec 1 11:49:45 joe postfix/smtp[8576]: 2523B38687C:
to=<root@xxxxxxxxxxx>, orig_to=<root>,
relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=34207,
delays=34175/23/0/9, dsn=4.5.0, status=deferred (host
127.0.0.1[127.0.0.1] said: 451-4.5.0 Error in processing,
id=08570-02-2, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS
FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x80de630) Too many retries to talk to
/var/spool/amavisd/clamd.sock (Can't connect to UNIX socket
/var/spool/amavisd/clamd.sock: No such file or directory) at
(eval 55) line 310. at (eval 55) line 511.; ClamAV-clamscan av-scanner
FAILED: /usr/bin/clamscan unexpected exit 50, output="LibClamAV Error:
cli_loaddb(): No supported database files found in /var/lib/clamav/
451-4.5.0 daily.inc 451 4.5.0 ERROR: Not supported data format" at
(eval 55) line 511. (in reply to end of DATA command))
Notice it cannot connect to the socket because it does not exist. That
confirms that the creation of the socket is being denied in my opinion.
That is why I didn't bother with the rest of the AVCs yet, since I
probably don't have them all without being able to successfully run in
Permissive mode to collect them for startup and shutdown.
Regards,
John
|
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list