Re: [CentOS] New selinux-policy breaks logwatch emails?
On Jan 8, 2010, at 4:54 PM, James Rankin wrote: For anyone else finding this: https://bugzilla.redhat.com/show_bug.cgi?id=553492 Here's a stupid question, can we install the rpm provided on the link above (see comment 12)? Or is the correct way to modify the local policy? Thanks, Dianne___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New selinux-policy breaks logwatch emails?
On 01/08/2010 08:28 AM James Rankin wrote: Hello, After a yum update last night, I had a CenOS 5.4 i386 system pull in the following selinux updates: Jan 07 21:39:14 Updated: selinux-policy-2.4.6-255.el5_4.3.noarch Jan 07 21:39:31 Updated: selinux-policy-targeted-2.4.6-255.el5_4.3.noarch This machine has SELinux set to Enforcing. This morning, I see I got the following email from Cron: /etc/cron.daily/0logwatch: sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name sendmail: fatal: root(0): unable to execute /usr/sbin/postdrop -r: Success Frankly, this error message means little to mean... in the course of troubleshooting, I tried this: # setenforce Permissive # /etc/cron.daily/0logwatch And it worked! The logwatch email sends without error. If I turn SELinux back to Enforcing, then the email error is consistently repeated. What confuses me is that, when SElinux enforcing causes this error to occur, no SELinux or AVC messages appear in /var/log/messages or /vaar/log/secure or /var/log/audit/audit.log. Has anyone else seen this? Any suggestions would be appreciated. Thanks! By setting selinux to permissive, you've, in effect, turned it off. SElinux will still provide messages about infractions, but won't prevent things from running... i.e., it is no longer guarding your system. hth, ken ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New selinux-policy breaks logwatch emails?
On Fri, Jan 8, 2010 at 8:28 AM, James Rankin rankin.ja...@gmail.com wrote: Frankly, this error message means little to mean... in the course of troubleshooting, I tried this: # setenforce Permissive # /etc/cron.daily/0logwatch And it worked! The logwatch email sends without error. If I turn SELinux back to Enforcing, then the email error is consistently repeated. What confuses me is that, when SElinux enforcing causes this error to occur, no SELinux or AVC messages appear in /var/log/messages or /vaar/log/secure or /var/log/audit/audit.log. Has anyone else seen this? Any suggestions would be appreciated. Thanks! That's interesting... Have you tried increasing the loglevel? It's a kernel option, unfortunately, and enabled with an audit=xx on the grub boot. It might give you more than you're seeing in the audit log. You may also want to try a relabel and manually check the context of all associated binaries. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New selinux-policy breaks logwatch emails?
By setting selinux to permissive, you've, in effect, turned it off. SElinux will still provide messages about infractions, but won't prevent things from running... i.e., it is no longer guarding your system. hth, ken Thanks for the reply; the fact that the error only occurs when Enforcing is basically the point I am trying to make... The absence of AVC messages is what I found troubling. In the past, every SELinux denial I've seen has been logged. I will increase the loglevel and try to get more info. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New selinux-policy breaks logwatch emails?
That's interesting... Have you tried increasing the loglevel? It's a kernel option, unfortunately, and enabled with an audit=xx on the grub boot. It might give you more than you're seeing in the audit log. You may also want to try a relabel and manually check the context of all associated binaries. I will try both of these steps. Thanks! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New selinux-policy breaks logwatch emails?
For anyone else finding this: https://bugzilla.redhat.com/show_bug.cgi?id=553492 and also https://bugzilla.redhat.com/show_bug.cgi?id=553277 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New selinux-policy breaks logwatch emails?
On Fri, Jan 8, 2010 at 7:54 PM, James Rankin rankin.ja...@gmail.com wrote: For anyone else finding this: https://bugzilla.redhat.com/show_bug.cgi?id=553492 and also https://bugzilla.redhat.com/show_bug.cgi?id=553277 Oh whew...From the other thread it looks like this bit a few people. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New selinux-policy breaks logwatch emails?
Kwan Lowe kwan.l...@gmail.com wrote: Oh whew...From the other thread it looks like this bit a few people. Sorry - I came in late and missed the earlier discussion (so many emails to skim, so little time . . . ). Around October, a Centos 5.3 web server here also stopped updating Webalizer stats. When I finally noticed, I discovered it was an issue with SELinux denying access to the logs, and used audit2allow to update the policy. If anyone else fell foul of this, I'm happy to send them the policy. Oh, wth - it's only two short files: *** webalizerlocal.te: module webalizerlocal 1.0; require { type httpd_t; type home_root_t; class file { read getattr }; } #= httpd_t == allow httpd_t home_root_t:file { read getattr }; *** webalizerlocal2.te: module webalizerlocal2 1.0; require { type home_root_t; type webalizer_t; class dir search; } #= webalizer_t == allow webalizer_t home_root_t:dir search; Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos