On 04/23/2013 04:37 PM, m.roth@xxxxxxxxx wrote:
m.roth@xxxxxxxxx wrote:
We've just built a new machine, running CentOS 6.4. I built, then my
manager pulled stuff off the machine that it's replacing, installing as
necessary. I'm seeing a ton of complaints of "SELinux is preventing
/usr/libexec/dovecot/imap from search access on the directory indexes.".
Now, ps -Z | grep dove shows that dovecot's running as
unconfined_u:system_r:dovecot_t:s0, while a typical index it's trying to
read shows ll -Z as system_u:object_r:dovecot_t. As a side note, it's
owned by user, with group of nobody.
I see the same file on the old server as being
system_u:object_r:var_spool_t.
Why would selinux be complaining? Is what was on the old system the
correct context?
This is very frustrating. My manager rebooted this morning, so now I'm not
sure about which avc I wrote about yesterday. However, I see various
things:
1. Last night, dovecot was throwing AVCs... and I was looking at it
mentioning
one user's email spool... but when I ran the sealert, it spoke of a
*different* user's spool.
Looking at a few of the AVCs, as Miroslav requested, *some* of this
may have changed, even without a relabel on the reboot, since I see
it complaining that something had been unlabled, where if I look at
it now with ll -Z, I see it as dovecot_t.
2. Sendmail is complaining, among other things, that it can't write to
/etc/sendmail/statistics. ll -Z shows
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 statistics
Meanwhile, I try to look at /usr/sbin/sendmail (ARGH!):
lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /usr/sbin/sendmail ->
/etc/alternatives/mta
lrwxrwxrwx. root root system_u:object_r:etc_t:s0
/etc/alternatives/mta -> /usr/sbin/sendmail.sendmail
-rwxr-sr-x. root smmsp system_u:object_r:sendmail_exec_t:s0
/usr/sbin/sendmail.sendmail
Looking further in my log, I see it's also complaining about
sendmail trying to do things to
/var/run/milter-greylist/milter-greylist.sock. So, can someone
suggest what I need to do to make selinux shut up about sendmail?
Typical AVC:
type=AVC msg=audit(1366726917.008:87837): avc: denied { write } for
pid=1401 comm="sendmail" name="statistics" dev=sda3 ino=44769294
scontext=system_u:system_r:sendmail_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
Is this telling me that, as I asked yesterday, I need to change the
user context to system_u from unconfined_u?
3. This one makes *zero* sense to me: SELinux is preventing
/lib64/security/pam_krb5/pam_krb5_storetmp from execute access on the
file /lib64/security/pam_krb5/pam_krb5_storetmp. ll -Z
-rwxr-xr-x. root root system_u:object_r:bin_t:s0
/lib64/security/pam_krb5/pam_krb5_storetmp*
I won't even start to get into the perl complaints....
mark
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
Ok, hard to say without AVC msgs. But for the first issue
milter_stream_connect_all(sendmail_t)
Then the problem is with
/etc/sendmail/statistics
which is supposed to be written in /etc directory. What does
# rpm -qf /etc/sendmail/statistics
# chcon -t etc_aliases_t /etc/sendmail/statistics
should fix it for now.
And last one would need
corecmd_exec_bin() for a source type from AVC msg which we don't have.
Regards,
Miroslav
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux