I think he maybe meant audit2allow? Which you would need this package for: policycoreutils-python
On 07/17/2017 08:39 PM, Stephen Isard wrote: > Thanks, but I can't find audit2text in the sl7 or epel repositories. > "yum search audit2text" and "yum provides '*/audit2text'" both come up > blank. Can you tell me where to get it? > > On Mon, 17 Jul 2017, Paul Robert Marino prmarino1-at-gmail.com > |Scientific Linux| wrote: > >> It looks like you may be right that it's /proc/net >> >> Have you tried using the python audit tools such as audit2text to >> analyze them they can make it a lot easier to understand what's going >> on, though they usually don't tell you if there is a bool you can >> flip to fix it. >> That tool still needs to be written :) >> Original Message >> From: [email protected] >> Sent: July 17, 2017 2:16 PM >> To: [email protected] >> Subject: selinux preventing access to directory net >> >> On two SL7.3 systems where I have set exim as my mta alternative, I >> am getting a lot of entries in /var/log/messages saying "SELinux is >> preventing /usr/bin/exim from search access on the directory net", >> with the usual accompanying "if you believe that exim should be >> allowed..." stuff, but the logs don't explain what call to exim >> triggered the messages. >> >> Sealert -l tells me >> >> Raw Audit Messages >> type=AVC msg=audit(1500313603.937:268): avc: denied { search } for >> pid=3097 comm="exim" name="net" dev="proc" ino=7154 >> scontext=system_u:system_r:exim_t:s0 >> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir >> >> type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open >> success=no exit=EACCES a0=7ff03baef4b0 a1=80000 a2=1b6 a3=24 items=0 >> ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 >> egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim >> exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) >> >> which doesn't seem to be much help. >> >> Searches turn up two Centos 7 reports, >> https://bugs.centos.org/view.php?id=13247 and >> https://bugs.centos.org/view.php?id=12913 that look as if they might >> be the same thing with different mta alternatives, but no response to >> either. >> >> All that the mta is supposed to be doing on these systems is >> reporting the output of cron jobs, and that appears to be happening >> correctly, so I am puzzled as to what this is about. I'm not even >> sure what net directory is being referred to. /proc/net? Does an >> mta need to look in that directory? I can send mail internally, to >> and from my local user and root, and that doesn't provoke selinux >> messages in the logs. >> >> Any suggestions for where to look? >> >> Thanks, >> >> Stephen Isard
