Re: selinux blocking access, no AVC warnings in /var/log/messages or /var/log/audit/audit.log

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/02/2010 06:42 AM, Jonathan Kamens wrote:
> Hi all,
> 
> I need to set up a procmail rule that receives an aliases file via
> email, saves it within the home directory of the user receiving the
> email, and builds a postfix hash map out of it with postalias.
> 
> There were various selinux denied messages associated with the work the
> script has to do, which I fixed incrementally with several test runs of
> the script combined with audit2allow, yielding this eventual policy:
> 
> module aliasupdate 1.0;
> 
> require {
>     type postfix_postdrop_t;
>     type user_home_t;
>     type postfix_master_exec_t;
>     type procmail_t;
>     class file { getattr append read open execute execute_no_trans };
> }
> 
> allow postfix_postdrop_t user_home_t:file { getattr append };
> allow procmail_t postfix_master_exec_t:file execute_no_trans;
> allow procmail_t postfix_master_exec_t:file { read execute open getattr };
> 
HOw about trying

postfix_domtrans_master(procmail_t)

> Now, however, I'm still getting a permission problem. From my procmail log:
> 
> postalias: fatal: open /etc/postfix/main.cf: Permission denied
> 
> I know this is an selinux issue, since the problem goes away if I do
> "setenforce 0", but here's the weird thing: when this error occurs,
> nothing gets logged in either /var/log/messages or
> /var/log/audit/audit.log, so I can't figure out how to fix my selinux
> policy to allow whatever action is being denied here.
> 
> Can somebody help me figure out why selinux would fail to log any sort
> of message when blocking access, and what I can do to fix it?
> 
> Thank you,
> 
> Jonathan Kamens
> 
> 
> 
> 
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

There is a dontaudit rule that is blocking you from receiving the
message in the audit log.  You can turn off dontaudit rules by executing

# semodule -DB

Turn them back on by executing

# semodule -B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzQAEcACgkQrlYvE4MpobMkDACfQB5X3bheX8osvxAi9KyKq2Ed
4YMAoIwTqJE8yFXy8YrIJ6LYvAGasWYh
=KnNQ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux