On Tue, 2013-06-04 at 11:40 -0400, Daniel J Walsh wrote: > On 06/04/2013 05:06 AM, Cristian Sava wrote: > > I am trying to activate selinux for my mailserver. It is F19 > > postfix_courier_amavisd-new_clamav_squirrelmail install in a virtual > > environment. All needed is stock or was packaged on F19 (rpmbuild -ta ... / > > rpmbuild -ba ...) and all is working fine (selinux disabled). No tar.gz > > directly installed. I am trying to fix things one by one. Any advice is > > welcome. When receiving a message selinux complain (permissive): > > > > SELinux is preventing /usr/sbin/courierlogger from getattr access on the > > file /var/spool/authdaemon/pid. > > > > ***** Plugin catchall (100. confidence) suggests > > *************************** > > > > If you believe that courierlogger should be allowed getattr access on the > > pid file by default. Then you should report this as a bug. You can generate > > a local policy module to allow this access. Do allow this access for now by > > executing: # grep courierlogger /var/log/audit/audit.log | audit2allow -M > > mypol # semodule -i mypol.pp > > > > Additional Information: Source Context > > system_u:system_r:courier_authdaemon_t:s0 Target Context > > system_u:object_r:courier_spool_t:s0 Target Objects > > /var/spool/authdaemon/pid [ file ] Source > > courierlogger Source Path /usr/sbin/courierlogger Port > > <Unknown> Host s198.domain.xx Source RPM Packages > > courier-authlib-0.65.0-1.fc19.x86_64 Target RPM Packages > > courier-authlib-0.65.0-1.fc19.x86_64 Policy RPM > > selinux-policy-3.12.1-47.fc19.noarch Selinux Enabled True > > Policy Type targeted Enforcing Mode > > Permissive Host Name s198.domain.xx Platform > > Linux s198.domain.xx 3.9.4-300.fc19.x86_64 #1 SMP Fri May 24 22:17:06 UTC > > 2013 x86_64 x86_64 Alert Count 7 First Seen > > 2013-05-30 16:35:05 EEST Last Seen 2013-06-04 11:30:02 > > EEST Local ID 469bd394-ddfb-454b-89e0-5ea40c2cf36b > > > > Raw Audit Messages type=AVC msg=audit(1370334602.277:26): avc: denied { > > getattr } for pid=461 comm="courierlogger" path="/var/spool/authdaemon/pid" > > dev="dm-1" ino=1193281 scontext=system_u:system_r:courier_authdaemon_t:s0 > > tcontext=system_u:object_r:courier_spool_t:s0 tclass=file > > > > > > type=SYSCALL msg=audit(1370334602.277:26): arch=x86_64 syscall=fstat > > success=yes exit=0 a0=3 a1=7fffc612b9d0 a2=7fffc612b9d0 a3=4 items=0 ppid=1 > > pid=461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 ses=4294967295 tty=(none) comm=courierlogger > > exe=/usr/sbin/courierlogger subj=system_u:system_r:courier_authdaemon_t:s0 > > key=(null) > > > > Hash: courierlogger,courier_authdaemon_t,courier_spool_t,file,getattr > > > > [cristi@s198 ~]$ getsebool -a | grep " on" auditadm_exec_content --> on > > domain_fd_use --> on fips_mode --> on global_ssp --> on > > gluster_export_all_rw --> on gssd_read_tmp --> on guest_exec_content --> > > on httpd_builtin_scripting --> on httpd_can_network_connect --> on > > httpd_can_network_connect_db --> on httpd_enable_cgi --> on > > httpd_enable_homedirs --> on httpd_graceful_shutdown --> on > > httpd_mod_auth_pam --> on httpd_sys_script_anon_write --> on httpd_use_gpg > > --> on kerberos_enabled --> on logging_syslogd_can_sendmail --> on > > login_console_enabled --> on mcelog_exec_scripts --> on mount_anyfile --> > > on nfs_export_all_ro --> on nfs_export_all_rw --> on nscd_use_shm --> on > > openvpn_enable_homedirs --> on postfix_local_write_mail_spool --> on > > postgresql_selinux_unconfined_dbadm --> on postgresql_selinux_users_ddl --> > > on privoxy_connect_any --> on saslauthd_read_shadow --> on > > secadm_exec_content --> on selinuxuser_direct_dri_enabled --> on > > selinuxuser_execmod --> on selinuxuser_execstack --> on > > selinuxuser_mysql_connect_enabled --> on selinuxuser_ping --> on > > selinuxuser_rw_noexattrfile --> on selinuxuser_tcp_server --> on > > spamassassin_can_network --> on spamd_enable_home_dirs --> on > > squid_connect_any --> on staff_exec_content --> on sysadm_exec_content --> > > on telepathy_tcp_connect_generic_network_ports --> on > > unconfined_chrome_sandbox_transition --> on unconfined_login --> on > > unconfined_mozilla_plugin_transition --> on user_exec_content --> on > > virt_use_usb --> on xend_run_blktap --> on xend_run_qemu --> on > > xguest_connect_network --> on xguest_exec_content --> on xguest_mount_media > > --> on xguest_use_bluetooth --> on [cristi@s198 ~]$ > > > > Do I miss something obvious? > > > > C. Sava > > > > > Why is courier storing pid files in /var/spool/authdaemon/pid? > > Current policy allows courier_authdaemon to create sock_files in this > directory but not regular files. > > That is beyond of me, but I think there may be a reason and I don't find complains for it on forums. I think that it just have to work, with and without selinux, it's the administrator's choice (without the need to compile modules and so on, only an option needed). Courier is too well known to be ignored and it is not something very special beast. C. Sava -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test