On 01/18/2013 09:24 AM, Miroslav Grepl wrote: > On 01/18/2013 12:11 AM, Jean-David Beyer wrote: >> I have been running Red Hat Enterprise Linux since 2004, starting with >> RHEL 3. Later I upgraded to RHEL 5. When I needed a new computer, I got >> RHEL 6 to run on it. >> >> RHEL 6 runs with SELinux turned on by default and it is presenting me >> with oneproblem, but my /var/log/messages file indicates I have _a lot_ >> of others. >> >> Now according to Red Hat's documentation, I should report these as bugs, >> but that seems a bit extreme if it is just a misconfiguration problem. >> >>> Missing Type Enforcement rules are usually caused by bugs in SELinux >>> policy, and should be reported in Red Hat Bugzilla. For Red Hat >>> Enterprise Linux, create bugs against the Red Hat Enterprise Linux >>> product, and select the selinux-policy component. Include the output >>> of the audit2allow -w -a and audit2allow -a commands in such bug >>> reports. >> Should I really do that? And if so, just how? How do I specify the >> problem in a way to be useful? >> >> One problem is that I have a shell script, run by cron that sends an >> email with mailx to me (on the same machine). That means it is run by >> root. And the mail fails when cron runs it. It is adding an attachment >> and SELinux says it is denied. Now when I run it myself, but logged in >> as root, the e-mail works. I do not specifically want to solve that >> problem here, but I do need to now how to change the system policy file, >> wherever it is, so I do not need to continually make little ones, say by >> running stuff like this: >> >> # grep boinc_client /var/log/audit/audit.log | audit2allow -M myboinc >> # semodule -i myboinc.pp >> >> I also wish to make the change, if they are really required, permanent. >> >> Any advice? >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > Hi, > I believe we should collect all AVC msgs. Could you execute > > # semanage permissive -a system_mail_t Done. > > which will make the domain as permissive. So nothing will be denied and > we will see AVC msgs in /var/log/audit/audit.log. Also I believe the > local policy is better than a rebuild of the policy package. > Looking at that file will be no fun at all. So far this week it is already like this: # wc -l audit.log 21675 audit.log Here is the last one that failed: type=AVC msg=audit(1358497393.637:38545): avc: denied { read } for pid=6812 comm="mailx" name="report.2013Jan180316" dev=sdb8 ino=525382 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_log_t:s0 tclass=file # locate report.2013Jan180316 /var/log/Backups/report.2013Jan180316 /dev/sdb8 16126920 1126208 14181512 8% /var What I have already done is this: Jan 13 03:52:17 DellT7600 kernel: type=1400 audit(1358067137.751:38575): avc: denied { read } for pid=19533 comm="mailx" name="report.2013Jan130344" dev=sdb8 ino=525338 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_log_t:s0 tclass=file I tried to fix it with this: sealert -l b6766d24-f5e8-4db5-94eb-a153b7e0f35a SELinux is preventing /bin/mailx from read access on the file report.2013Jan180316. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mailx should be allowed read access on the report.2013Jan180316 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mailx /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp DellT7600:root[/var/log]# grep mailx /var/log/audit/audit.log | audit2allow -M mymail1 ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mymail1.pp DellT7600:root[/var/log]# semodule -i mymail1.pp But my guess it will fail tomorrow anyway because the file in question tomorrow will be a different one, named something like report.2013Jan190316. We will see. dominick.grift has another idea, but I am too new at this to fully understand what he says to do. I have been writing computer program since about 1956, but SELinux is a bit beyond me. I do not want to take a month off to learn all about SELinux if I can possibly help it. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
