I am trying to activate selinux for my mailserver.
It is F19 postfix_courier_amavisd-new_clamav_squirrelmail install in a
virtual environment. All needed is stock or was packaged on F19
(rpmbuild -ta ... / rpmbuild -ba ...) and all is working fine (selinux
disabled). No tar.gz directly installed.
I am trying to fix things one by one. Any advice is welcome. When
receiving a message selinux complain (permissive):
SELinux is preventing /usr/sbin/courierlogger from getattr access on the
file /var/spool/authdaemon/pid.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that courierlogger should be allowed getattr access on
the pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep courierlogger /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:courier_authdaemon_t:s0
Target Context system_u:object_r:courier_spool_t:s0
Target Objects /var/spool/authdaemon/pid [ file ]
Source courierlogger
Source Path /usr/sbin/courierlogger
Port <Unknown>
Host s198.domain.xx
Source RPM Packages courier-authlib-0.65.0-1.fc19.x86_64
Target RPM Packages courier-authlib-0.65.0-1.fc19.x86_64
Policy RPM selinux-policy-3.12.1-47.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name s198.domain.xx
Platform Linux s198.domain.xx 3.9.4-300.fc19.x86_64
#1
SMP Fri May 24 22:17:06 UTC 2013 x86_64
x86_64
Alert Count 7
First Seen 2013-05-30 16:35:05 EEST
Last Seen 2013-06-04 11:30:02 EEST
Local ID 469bd394-ddfb-454b-89e0-5ea40c2cf36b
Raw Audit Messages
type=AVC msg=audit(1370334602.277:26): avc: denied { getattr } for
pid=461 comm="courierlogger" path="/var/spool/authdaemon/pid" dev="dm-1"
ino=1193281 scontext=system_u:system_r:courier_authdaemon_t:s0
tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1370334602.277:26): arch=x86_64 syscall=fstat
success=yes exit=0 a0=3 a1=7fffc612b9d0 a2=7fffc612b9d0 a3=4 items=0
ppid=1 pid=461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=courierlogger
exe=/usr/sbin/courierlogger
subj=system_u:system_r:courier_authdaemon_t:s0 key=(null)
Hash: courierlogger,courier_authdaemon_t,courier_spool_t,file,getattr
[cristi@s198 ~]$ getsebool -a | grep " on"
auditadm_exec_content --> on
domain_fd_use --> on
fips_mode --> on
global_ssp --> on
gluster_export_all_rw --> on
gssd_read_tmp --> on
guest_exec_content --> on
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> on
httpd_enable_cgi --> on
httpd_enable_homedirs --> on
httpd_graceful_shutdown --> on
httpd_mod_auth_pam --> on
httpd_sys_script_anon_write --> on
httpd_use_gpg --> on
kerberos_enabled --> on
logging_syslogd_can_sendmail --> on
login_console_enabled --> on
mcelog_exec_scripts --> on
mount_anyfile --> on
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nscd_use_shm --> on
openvpn_enable_homedirs --> on
postfix_local_write_mail_spool --> on
postgresql_selinux_unconfined_dbadm --> on
postgresql_selinux_users_ddl --> on
privoxy_connect_any --> on
saslauthd_read_shadow --> on
secadm_exec_content --> on
selinuxuser_direct_dri_enabled --> on
selinuxuser_execmod --> on
selinuxuser_execstack --> on
selinuxuser_mysql_connect_enabled --> on
selinuxuser_ping --> on
selinuxuser_rw_noexattrfile --> on
selinuxuser_tcp_server --> on
spamassassin_can_network --> on
spamd_enable_home_dirs --> on
squid_connect_any --> on
staff_exec_content --> on
sysadm_exec_content --> on
telepathy_tcp_connect_generic_network_ports --> on
unconfined_chrome_sandbox_transition --> on
unconfined_login --> on
unconfined_mozilla_plugin_transition --> on
user_exec_content --> on
virt_use_usb --> on
xend_run_blktap --> on
xend_run_qemu --> on
xguest_connect_network --> on
xguest_exec_content --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
[cristi@s198 ~]$
Do I miss something obvious?
C. Sava
--
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
