Re: Postfix avcs (Re: Enabling SELinux on a custom kernel)

Jan Kasprzak <kas@xxxxxxxxxx> · Tue, 8 Jul 2008 15:48:07 +0200

Stephen Smalley wrote:
: Easier way to do that is:
: audit2allow -M localpostfix
: That creates the .te file, runs it through checkmodule, and runs it
: through semodule_package, leaving you with the .pp file.

	OK, thanks.

: > but when I try to load it using "semodule -i localpostfix.pp",
: > the semodule command hangs for several minutes, eating almost 100 % CPU.
: > After that, it fails with
: > 
: > libsemanage.dbase_llist_query: could not query record value (No such file or directory).
: 
: Hmmm...that's interesting.  Usually that means you are missing a config
: file in the policy store.  Are you starting from the stock Fedora policy
: or your own custom policy?  Also, did it actually fail or just issue
: that warning and proceed?

	Well, this system has been running for several years and upgraded
through several Fedora releases (altough SELinux has never been in use there).
Now I have decided to enable SELinux (together with an upgrade to F9),
so I have installed Fedora (or Fedora updates) packages of SELinux tools,
targeted policy, etc. So yes, the starting point was the stock F9 setup,
but I cannot say it is a fresh F9 install.

	Running find /etc/selinux -print on that system and on
just installed and updated F9 system leads to this diff:

diff /tmp/list.upgraded /tmp/list.fresh
70d69
< /etc/selinux/targeted/modules/active/modules/localpostfix.pp
115a115
> /etc/selinux/targeted/modules/active/seusers
117a118,119
> /etc/selinux/targeted/modules/active/users_extra.local
> /etc/selinux/targeted/modules/active/users.local
120,207d121
< /etc/selinux/targeted/modules/tmp
< /etc/selinux/targeted/modules/tmp/base.pp
< /etc/selinux/targeted/modules/tmp/commit_num
[... and lot other files in .../tmp, because semodule -i localpostfix.pp
     has been running at that time ...]

	Semodule -i does not fail per se - it returns 0 to the shell.
However, Postfix still does not work, and AVCs similar to the original ones
are still logged into the audit.log.

-Yenya

-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/    Journal: http://www.fi.muni.cz/~kas/blog/ |
>>  If you find yourself arguing with Alan Cox, you’re _probably_ wrong.  <<
>>     --James Morris in "How and Why You Should Become a Kernel Hacker"  <<

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list