-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/04/2013 05:06 AM, Cristian Sava wrote:
> I am trying to activate selinux for my mailserver. It is F19
> postfix_courier_amavisd-new_clamav_squirrelmail install in a virtual
> environment. All needed is stock or was packaged on F19 (rpmbuild -ta ... /
> rpmbuild -ba ...) and all is working fine (selinux disabled). No tar.gz
> directly installed. I am trying to fix things one by one. Any advice is
> welcome. When receiving a message selinux complain (permissive):
>
> SELinux is preventing /usr/sbin/courierlogger from getattr access on the
> file /var/spool/authdaemon/pid.
>
> ***** Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that courierlogger should be allowed getattr access on the
> pid file by default. Then you should report this as a bug. You can generate
> a local policy module to allow this access. Do allow this access for now by
> executing: # grep courierlogger /var/log/audit/audit.log | audit2allow -M
> mypol # semodule -i mypol.pp
>
> Additional Information: Source Context
> system_u:system_r:courier_authdaemon_t:s0 Target Context
> system_u:object_r:courier_spool_t:s0 Target Objects
> /var/spool/authdaemon/pid [ file ] Source
> courierlogger Source Path /usr/sbin/courierlogger Port
> <Unknown> Host s198.domain.xx Source RPM Packages
> courier-authlib-0.65.0-1.fc19.x86_64 Target RPM Packages
> courier-authlib-0.65.0-1.fc19.x86_64 Policy RPM
> selinux-policy-3.12.1-47.fc19.noarch Selinux Enabled True
> Policy Type targeted Enforcing Mode
> Permissive Host Name s198.domain.xx Platform
> Linux s198.domain.xx 3.9.4-300.fc19.x86_64 #1 SMP Fri May 24 22:17:06 UTC
> 2013 x86_64 x86_64 Alert Count 7 First Seen
> 2013-05-30 16:35:05 EEST Last Seen 2013-06-04 11:30:02
> EEST Local ID 469bd394-ddfb-454b-89e0-5ea40c2cf36b
>
> Raw Audit Messages type=AVC msg=audit(1370334602.277:26): avc: denied {
> getattr } for pid=461 comm="courierlogger" path="/var/spool/authdaemon/pid"
> dev="dm-1" ino=1193281 scontext=system_u:system_r:courier_authdaemon_t:s0
> tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
>
>
> type=SYSCALL msg=audit(1370334602.277:26): arch=x86_64 syscall=fstat
> success=yes exit=0 a0=3 a1=7fffc612b9d0 a2=7fffc612b9d0 a3=4 items=0 ppid=1
> pid=461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 ses=4294967295 tty=(none) comm=courierlogger
> exe=/usr/sbin/courierlogger subj=system_u:system_r:courier_authdaemon_t:s0
> key=(null)
>
> Hash: courierlogger,courier_authdaemon_t,courier_spool_t,file,getattr
>
> [cristi@s198 ~]$ getsebool -a | grep " on" auditadm_exec_content --> on
> domain_fd_use --> on fips_mode --> on global_ssp --> on
> gluster_export_all_rw --> on gssd_read_tmp --> on guest_exec_content -->
> on httpd_builtin_scripting --> on httpd_can_network_connect --> on
> httpd_can_network_connect_db --> on httpd_enable_cgi --> on
> httpd_enable_homedirs --> on httpd_graceful_shutdown --> on
> httpd_mod_auth_pam --> on httpd_sys_script_anon_write --> on httpd_use_gpg
> --> on kerberos_enabled --> on logging_syslogd_can_sendmail --> on
> login_console_enabled --> on mcelog_exec_scripts --> on mount_anyfile -->
> on nfs_export_all_ro --> on nfs_export_all_rw --> on nscd_use_shm --> on
> openvpn_enable_homedirs --> on postfix_local_write_mail_spool --> on
> postgresql_selinux_unconfined_dbadm --> on postgresql_selinux_users_ddl -->
> on privoxy_connect_any --> on saslauthd_read_shadow --> on
> secadm_exec_content --> on selinuxuser_direct_dri_enabled --> on
> selinuxuser_execmod --> on selinuxuser_execstack --> on
> selinuxuser_mysql_connect_enabled --> on selinuxuser_ping --> on
> selinuxuser_rw_noexattrfile --> on selinuxuser_tcp_server --> on
> spamassassin_can_network --> on spamd_enable_home_dirs --> on
> squid_connect_any --> on staff_exec_content --> on sysadm_exec_content -->
> on telepathy_tcp_connect_generic_network_ports --> on
> unconfined_chrome_sandbox_transition --> on unconfined_login --> on
> unconfined_mozilla_plugin_transition --> on user_exec_content --> on
> virt_use_usb --> on xend_run_blktap --> on xend_run_qemu --> on
> xguest_connect_network --> on xguest_exec_content --> on xguest_mount_media
> --> on xguest_use_bluetooth --> on [cristi@s198 ~]$
>
> Do I miss something obvious?
>
> C. Sava
>
>
Why is courier storing pid files in /var/spool/authdaemon/pid?
Current policy allows courier_authdaemon to create sock_files in this
directory but not regular files.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGuClgACgkQrlYvE4MpobPe5wCgwcXNlAhf2rsHryipOyxr77nT
TAsAnRNluuZM4+1y/FrZ4fSD85bUkdpf
=VgId
-----END PGP SIGNATURE-----
--
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
