Hi,
I have found that I have my server (running RHEL 6 with plenty of EPEL
stuff, most interesting here is probably Zarafa) is still in the
permissive mode. Before switching to enforcing again I run ausearch -m
AVC -ts this-week and got the attached list of AVC denials. I am not
sure what about these, but before I blindly file bugs into bugzilla (or
blindly switch on various booleans), I thought to ask about advice here.
[root@luther selinux-research]# audit2allow <avc-this-week.txt \
|grep -v '^#'|grep -v '^\s*$'
allow httpd_t postfix_public_t:dir search;
allow httpd_t postfix_public_t:fifo_file { write getattr open };
allow httpd_t postfix_spool_maildrop_t:dir { write remove_name search
add_name };
allow httpd_t postfix_spool_maildrop_t:file { rename write getattr
setattr read create open };
allow httpd_t postfix_spool_t:dir search;
# is httpd_can_sendmail --> off really to blame? Or there is some weird
# interaction between Zarafa webmail and postfix?
allow httpd_t self:process setrlimit;
# this just happened once, and I don't feel well about switching the
httpd_setrlimit boolean on without knowing why it is required.
My booleans related to http:
[root@luther selinux-research]# getsebool -a|grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
[root@luther selinux-research]#
Thanks for any advice,
Matěj
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.521:4670): arch=40000003 syscall=12 success=yes exit=0 a0=1c16c78 a1=0 a2=5ebff4 a3=5ed840 items=0 ppid=7550 pid=24960 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.521:4670): avc: denied { search } for pid=24960 comm="sendmail" name="postfix" dev=dm-0 ino=1835316 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.524:4671): arch=40000003 syscall=75 success=yes exit=0 a0=1 a1=bf96e98c a2=8f1ff4 a3=ffffffff items=0 ppid=7550 pid=24960 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.524:4671): avc: denied { setrlimit } for pid=24960 comm="sendmail" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.857:4672): arch=40000003 syscall=5 success=yes exit=4 a0=7387d0 a1=80c2 a2=1a4 a3=bfec5498 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.857:4672): avc: denied { read write open } for pid=24961 comm="postdrop" name="858047.24961" dev=dm-0 ino=1836024 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1344435172.857:4672): avc: denied { create } for pid=24961 comm="postdrop" name="858047.24961" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1344435172.857:4672): avc: denied { add_name } for pid=24961 comm="postdrop" name="858047.24961" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1344435172.857:4672): avc: denied { write } for pid=24961 comm="postdrop" name="maildrop" dev=dm-0 ino=1835325 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1344435172.857:4672): avc: denied { search } for pid=24961 comm="postdrop" name="maildrop" dev=dm-0 ino=1835325 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.979:4673): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bfec53a0 a2=b7867ff4 a3=bfec5498 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.979:4673): avc: denied { getattr } for pid=24961 comm="postdrop" path="/var/spool/postfix/maildrop/858047.24961" dev=dm-0 ino=1836024 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.980:4674): arch=40000003 syscall=38 success=yes exit=0 a0=7387d0 a1=738640 a2=1c1ff4 a3=7387d0 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.980:4674): avc: denied { rename } for pid=24961 comm="postdrop" name="858047.24961" dev=dm-0 ino=1836024 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1344435172.980:4674): avc: denied { remove_name } for pid=24961 comm="postdrop" name="858047.24961" dev=dm-0 ino=1836024 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.982:4675): arch=40000003 syscall=94 success=yes exit=0 a0=4 a1=1e4 a2=1c1ff4 a3=0 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.982:4675): avc: denied { setattr } for pid=24961 comm="postdrop" name="EF6B91C03F8" dev=dm-0 ino=1836024 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
----
time->Wed Aug 8 16:12:53 2012
type=SYSCALL msg=audit(1344435173.252:4676): arch=40000003 syscall=195 success=yes exit=0 a0=738938 a1=bfec5370 a2=b7867ff4 a3=738938 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435173.252:4676): avc: denied { getattr } for pid=24961 comm="postdrop" path="/var/spool/postfix/public/pickup" dev=dm-0 ino=1835251 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file
type=AVC msg=audit(1344435173.252:4676): avc: denied { search } for pid=24961 comm="postdrop" name="public" dev=dm-0 ino=1835328 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=dir
----
time->Wed Aug 8 16:12:53 2012
type=SYSCALL msg=audit(1344435173.252:4677): arch=40000003 syscall=5 success=yes exit=4 a0=738938 a1=8801 a2=0 a3=0 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435173.252:4677): avc: denied { open } for pid=24961 comm="postdrop" name="pickup" dev=dm-0 ino=1835251 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file
type=AVC msg=audit(1344435173.252:4677): avc: denied { write } for pid=24961 comm="postdrop" name="pickup" dev=dm-0 ino=1835251 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux