Re: [CentOS] selinux & httpd & portmap
Just to follow up with a summary on this . . .
Followed the email HowTo on the Centos wiki by installing postfix,
dovecot, postgrey, amavisd and setting up SSL/TLS.
Set selinux to permissive, targeted.
Sent many, many emails with attachments, spam, etc. to & from the box.
Removed previous selinux entries from audit.log.
The new policy was extracted with
cat new_audit.log|audit2allow -m local
module local 1.0;
require {
type traceroute_port_t;
type amavis_t;
type postfix_spool_t;
type clamd_t;
type amavis_var_lib_t;
type sysctl_kernel_t;
type var_t;
type postfix_smtpd_t;
type initrc_t;
type proc_t;
class unix_stream_socket connectto;
class file { read getattr };
class sock_file write;
class lnk_file { read create unlink getattr };
class udp_socket name_bind;
class dir { read search };
}
#= amavis_t ==
allow amavis_t amavis_var_lib_t:lnk_file { read create unlink getattr };
allow amavis_t traceroute_port_t:udp_socket name_bind;
#= clamd_t ==
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
allow clamd_t var_t:dir read;
allow clamd_t var_t:file { read getattr };
#= postfix_smtpd_t ==
allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;
allow postfix_smtpd_t postfix_spool_t:sock_file write;
Put the policy into effect with
cat new_audit.log|audit2allow -M local
semodule -i local.pp
Ran through all the same email tests.
selinux has not complained - yet.
--
Toby Bluhm
Alltech Medical Systems America, Inc.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
Ralph Angenendt wrote: MHR wrote: Tony, 1) Please edit your replies to remove unnecessary information. 2) If you need to present this large of an amount of data, please include it in an attachment. Maybe that would have broken the list limit ... Not sure of your meaning - by being 53k or being a 53k attachment? 53k * several thousand mails ... I did check my trashbin for Centos messages sorted by size & 53k was no where near the worst offenders - not trying to make an excuse, just showing my thought process - seemed like I would be okay. And it was data, not just the same sig repeated 50 times or a big bitmap. Is there a recommended limit on email size posted somewhere? Perhaps the membership join/reminder could have etiquette/rules included? Awaiting my penance . . . . -- Toby Bluhm Alltech Medical Systems America, Inc. 30825 Aurora Road Suite 100 Solon Ohio 44139 440-424-2240 ext203 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
On Mon, Jul 28, 2008 at 11:51 AM, Ralph Angenendt <[EMAIL PROTECTED]> wrote: > MHR wrote: >> Tony, >> >> 1) Please edit your replies to remove unnecessary information. >> >> 2) If you need to present this large of an amount of data, please >> include it in an attachment. > > Maybe that would have broken the list limit ... > > 53k * several thousand mails ... > Seems like it already would have if it could. Okay, post on a web page somewhere Picky, picky, picky, I just don't know, never satisfied, yada, yada, yada ;^) mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
MHR wrote: > Tony, > > 1) Please edit your replies to remove unnecessary information. > > 2) If you need to present this large of an amount of data, please > include it in an attachment. Maybe that would have broken the list limit ... 53k * several thousand mails ... Cheers, Ralph pgpfGtywmnjzP.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
On Mon, Jul 28, 2008 at 11:26 AM, Toby Bluhm <[EMAIL PROTECTED]> wrote: > > I was waiting for you :) > I knew it! Furses! Coiled again! > BTW - my name is Toby. > Then I wasn't talking to you! Either that, or it was a typo - the n and the b are right next to each other on my keyboard, and I do that a lpt. ;^) (Sorry about that!) mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
MHR wrote: Tony, 1) Please edit your replies to remove unnecessary information. 2) If you need to present this large of an amount of data, please include it in an attachment. Thanks. I was waiting for you :) BTW - my name is Toby. -- Toby Bluhm Alltech Medical Systems America, Inc. 30825 Aurora Road Suite 100 Solon Ohio 44139 440-424-2240 ext203 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
Tony, 1) Please edit your replies to remove unnecessary information. 2) If you need to present this large of an amount of data, please include it in an attachment. Thanks. mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
Craig White wrote: On Mon, 2008-07-28 at 09:24 -0400, Toby Bluhm wrote: I just want to point out that the issue isn't with postfix but rather amavisd and how/where amavisd connects/communicates with the various parts and pieces. I'm afraid that I can't be too much help here because I use MailScanner and not amavisd but the SELinux mail list could help you work through these things (I'm presuming that amavisd hasn't worked through all of their contexts). Sounds like my situation is not completely unexpected. Thanks for your hints - I'll follow up on them. -- Toby Bluhm Alltech Medical Systems America, Inc. 30825 Aurora Road Suite 100 Solon Ohio 44139 440-424-2240 ext203 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
On Mon, 2008-07-28 at 09:24 -0400, Toby Bluhm wrote: > >> SO - is it normal to have to update policies on basic services? Am I > >> missing an rpm? > > > > those aren't basic services but are packages that are supplied by > > postfix is centos, the rest are from rpmforge > > > repositories other than CentOS/upstream and apparently don't have all of > > their files/folder labeled properly. > > > > what do you get from command... > > > > sealert -a /var/log/dmesg > > > zero alerts > > > > or > > sealert -a /var/log/audit/audit.log > > > > > lots of stuff from when it wasn't labeled right, so I stripped all > audit.log entries before the last DAEMON_START to a file & ran sealert > on it. I just want to point out that the issue isn't with postfix but rather amavisd and how/where amavisd connects/communicates with the various parts and pieces. I'm afraid that I can't be too much help here because I use MailScanner and not amavisd but the SELinux mail list could help you work through these things (I'm presuming that amavisd hasn't worked through all of their contexts). Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
On Mon, 2008-07-28 at 09:24 -0400, Toby Bluhm wrote:
> Summary:
>
> SELinux is preventing clamd (clamd_t) "read" to ./daily.cld (var_t).
>
> Detailed Description:
>
> [SELinux is in permissive mode, the operation would have been denied
> but was
> permitted due to permissive mode.]
>
> SELinux denied access requested by clamd. It is not expected that
> this
> access is
> required by clamd and this access may signal an intrusion attempt. It
> is
> also
> possible that the specific version or configuration of the application
> is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try
> to
> restore
> the default system file context for ./daily.cld,
>
> restorecon -v './daily.cld'
>
> If this does not work, there is currently no automatic way to allow
> this
> access.
> Instead, you can generate a local policy module to allow this access
> -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Contextsystem_u:system_r:clamd_t:s0
> Target Contextsystem_u:object_r:var_t:s0
> Target Objects./daily.cld [ file ]
> Sourceclamd
> Source Path /usr/sbin/clamd
> Port
> Host
> Source RPM Packages clamd-0.93.3-1.el5.rf
> Target RPM Packages
> Policy RPMselinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing ModePermissive
> Plugin Name catchall_file
> Host Name mail.alltechmedicalsystemsamerica.com
> Platform Linux
> mail.alltechmedicalsystemsamerica.com
>2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
> 13:49:24 EDT
>2008 i686 athlon
> Alert Count 2
> First SeenFri Jul 25 14:44:44 2008
> Last Seen Fri Jul 25 15:38:04 2008
> Local ID c0eb4a2f-6b73-4632-8f93-ca7dc67bb0f2
> Line Numbers 11, 12, 102, 103
>
> Raw Audit Messages
>
> type=AVC msg=audit(1217014684.863:88): avc: denied { read } for
> pid=2027 comm="clamd" name="daily.cld" dev=md0 ino=980633
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1217014684.863:88): arch=4003 syscall=33
> success=yes exit=0 a0=b156a88 a1=4 a2=3e1e20 a3=b156a88 items=0
> ppid=1
> pid=2027 auid=4294967295 uid=101 gid=203 euid=101 suid=101 fsuid=101
> egid=203 sgid=203 fsgid=203 tty=(none) ses=4294967295 comm="clamd"
> exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)
you definitely want to run...
restorecon -v './var/clamav/daily.cld'
or something like...
chcon -t system_u:system_r:clamd_t:s0 /var/clamav/daily.cld
Craig
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
On Mon, 2008-07-28 at 09:24 -0400, Toby Bluhm wrote:
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for ./kernel,
>
> restorecon -v './kernel'
did you try this?
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Contextsystem_u:system_r:clamd_t:s0
> Target Contextsystem_u:object_r:sysctl_kernel_t:s0
> Target Objects./kernel [ dir ]
> Sourceclamd
> Source Path /usr/sbin/clamd
> Port
> Host
> Source RPM Packages clamd-0.93.3-1.el5.rf
> Target RPM Packages
> Policy RPMselinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing ModePermissive
> Plugin Name catchall_file
> Host Name mail.alltechmedicalsystemsamerica.com
> Platform Linux mail.alltechmedicalsystemsamerica.com
>2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
> 13:49:24 EDT
>2008 i686 athlon
> Alert Count 1
> First SeenFri Jul 25 14:44:44 2008
> Last Seen Fri Jul 25 14:44:44 2008
> Local ID 8e3e4626-632c-4abc-b520-89c65771babf
> Line Numbers 8, 9, 10
>
> Raw Audit Messages
>
> type=AVC msg=audit(1217011484.818:9): avc: denied { search } for
> pid=2026 comm="clamd" name="kernel" dev=proc ino=-268435416
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
>
> type=AVC msg=audit(1217011484.818:9): avc: denied { read } for
> pid=2026 comm="clamd" name="ngroups_max" dev=proc ino=-268435368
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1217011484.818:9): arch=4003 syscall=5
> success=yes exit=3 a0=265c24 a1=0 a2=27fff4 a3=281994 items=0 ppid=2025
> pid=2026 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd"
> subj=system_u:system_r:clamd_t:s0 key=(null)
this one is a bit beyond me unless the
restorecon -v './kernel'
works - you might want to check in on the selinux-list...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Craig
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
Craig White wrote:
On Fri, 2008-07-25 at 10:36 -0400, Toby Bluhm wrote:
Ian Blackwell wrote:
Craig White wrote:
Suggest that you make sure you are fully updated, then
'touch /.autorelabel' then reboot (reboot at a time you choose because
it may take a long time to relabel every file on your system -
especially if you have a lot of files).
Craig
What Craig implies is that your system won't be available for quite a
long time (relatively), while the relabel takes place. The boot time
with an autorelabel is very long, and you won't have access to the
server until the relabel is completed. So choose your time for the
reboot with that knowledge.
Ian
No problems there - I'm getting my selinux feet wet on a test box. Not
quite ready to risk torching a production machine.
The relabel did take some time after a reboot - portmap & httpd started
ok. WHile postgrey, clamd, postfix and amavisd all started, none could
access the libs & dirs they needed to process emails.
So I disabled selinux, rebooted, made sure everything worked alright -
which it did. Then enabled permissive mode & rebooted & it relabeled
itself this time.
After running some things, send/receive email, it still wants to deny:
type=AVC msg=audit(1216990772.410:72): avc: denied { read } for
pid=2037 comm="clamd" path="/var/clamav/main.cvd" dev=md0 ino=980355
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1216990777.968:73): avc: denied { read } for
pid=2037 comm="clamd" name="meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1216990777.969:74): avc: denied { getattr } for
pid=2037 comm="clamd" path="/proc/meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1216991822.928:113): avc: denied { signal } for
pid=2762 comm="postfix-script"
scontext=root:system_r:postfix_master_t:s0
tcontext=root:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0
tclass=lnk_filetcontext=root:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.372:123): avc: denied { unlink } for
pid=2116 comm="amavisd" name="p002.exe" dev=md0 ino=1005252
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
SO - is it normal to have to update policies on basic services? Am I
missing an rpm?
those aren't basic services but are packages that are supplied by
postfix is centos, the rest are from rpmforge
repositories other than CentOS/upstream and apparently don't have all of
their files/folder labeled properly.
what do you get from command...
sealert -a /var/log/dmesg
zero alerts
or
sealert -a /var/log/audit/audit.log
lots of stuff from when it wasn't labeled right, so I stripped all
audit.log entries before the last DAEMON_START to a file & ran sealert
on it.
found 15 alerts in new_audit_log
Summary:
SELinux is preventing clamd (clamd_t) "search" to ./kernel
(sysctl_kernel_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by clamd. It is not expected that this
access is
required by clamd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./kernel,
restorecon -v './kernel'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Re: [CentOS] selinux & httpd & portmap
On Fri, 2008-07-25 at 10:36 -0400, Toby Bluhm wrote:
> Ian Blackwell wrote:
> > Craig White wrote:
> >> Suggest that you make sure you are fully updated, then
> >> 'touch /.autorelabel' then reboot (reboot at a time you choose because
> >> it may take a long time to relabel every file on your system -
> >> especially if you have a lot of files).
> >>
> >> Craig
> >>
> > What Craig implies is that your system won't be available for quite a
> > long time (relatively), while the relabel takes place. The boot time
> > with an autorelabel is very long, and you won't have access to the
> > server until the relabel is completed. So choose your time for the
> > reboot with that knowledge.
> >
> > Ian
> >
> >
>
>
> No problems there - I'm getting my selinux feet wet on a test box. Not
> quite ready to risk torching a production machine.
>
>
>
> The relabel did take some time after a reboot - portmap & httpd started
> ok. WHile postgrey, clamd, postfix and amavisd all started, none could
> access the libs & dirs they needed to process emails.
>
> So I disabled selinux, rebooted, made sure everything worked alright -
> which it did. Then enabled permissive mode & rebooted & it relabeled
> itself this time.
>
> After running some things, send/receive email, it still wants to deny:
>
>
> type=AVC msg=audit(1216990772.410:72): avc: denied { read } for
> pid=2037 comm="clamd" path="/var/clamav/main.cvd" dev=md0 ino=980355
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=file
>
> type=AVC msg=audit(1216990777.968:73): avc: denied { read } for
> pid=2037 comm="clamd" name="meminfo" dev=proc ino=-268435454
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
>
> type=AVC msg=audit(1216990777.969:74): avc: denied { getattr } for
> pid=2037 comm="clamd" path="/proc/meminfo" dev=proc ino=-268435454
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
>
> type=AVC msg=audit(1216991822.928:113): avc: denied { signal } for
> pid=2762 comm="postfix-script"
> scontext=root:system_r:postfix_master_t:s0
> tcontext=root:system_r:initrc_t:s0 tclass=process
>
> type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
> pid=2116 comm="amavisd" name="p002.exe"
> scontext=system_u:system_r:amavis_t:s0
> tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
>
> type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
> pid=2970 comm="arj"
> path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
> dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
> tcontext=system_u:object_r:amavis_var_lib_t:s0
> tclass=lnk_filetcontext=root:system_r:initrc_t:s0 tclass=process
>
> type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
> pid=2116 comm="amavisd" name="p002.exe"
> scontext=system_u:system_r:amavis_t:s0
> tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
>
> type=AVC msg=audit(1216992166.372:123): avc: denied { unlink } for
> pid=2116 comm="amavisd" name="p002.exe" dev=md0 ino=1005252
> scontext=system_u:system_r:amavis_t:s0
> tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
>
> type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
> pid=2970 comm="arj"
> path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
> dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
> tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
>
>
>
> SO - is it normal to have to update policies on basic services? Am I
> missing an rpm?
those aren't basic services but are packages that are supplied by
repositories other than CentOS/upstream and apparently don't have all of
their files/folder labeled properly.
what do you get from command...
sealert -a /var/log/dmesg
or
sealert -a /var/log/audit/audit.log
Craig
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
Ian Blackwell wrote:
Craig White wrote:
Suggest that you make sure you are fully updated, then
'touch /.autorelabel' then reboot (reboot at a time you choose because
it may take a long time to relabel every file on your system -
especially if you have a lot of files).
Craig
What Craig implies is that your system won't be available for quite a
long time (relatively), while the relabel takes place. The boot time
with an autorelabel is very long, and you won't have access to the
server until the relabel is completed. So choose your time for the
reboot with that knowledge.
Ian
No problems there - I'm getting my selinux feet wet on a test box. Not
quite ready to risk torching a production machine.
The relabel did take some time after a reboot - portmap & httpd started
ok. WHile postgrey, clamd, postfix and amavisd all started, none could
access the libs & dirs they needed to process emails.
So I disabled selinux, rebooted, made sure everything worked alright -
which it did. Then enabled permissive mode & rebooted & it relabeled
itself this time.
After running some things, send/receive email, it still wants to deny:
type=AVC msg=audit(1216990772.410:72): avc: denied { read } for
pid=2037 comm="clamd" path="/var/clamav/main.cvd" dev=md0 ino=980355
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1216990777.968:73): avc: denied { read } for
pid=2037 comm="clamd" name="meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1216990777.969:74): avc: denied { getattr } for
pid=2037 comm="clamd" path="/proc/meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1216991822.928:113): avc: denied { signal } for
pid=2762 comm="postfix-script"
scontext=root:system_r:postfix_master_t:s0
tcontext=root:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0
tclass=lnk_filetcontext=root:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.372:123): avc: denied { unlink } for
pid=2116 comm="amavisd" name="p002.exe" dev=md0 ino=1005252
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
SO - is it normal to have to update policies on basic services? Am I
missing an rpm?
--
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240 ext203
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
Craig White wrote: Suggest that you make sure you are fully updated, then 'touch /.autorelabel' then reboot (reboot at a time you choose because it may take a long time to relabel every file on your system - especially if you have a lot of files). Craig What Craig implies is that your system won't be available for quite a long time (relatively), while the relabel takes place. The boot time with an autorelabel is very long, and you won't have access to the server until the relabel is completed. So choose your time for the reboot with that knowledge. Ian smime.p7s Description: S/MIME Cryptographic Signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux & httpd & portmap
On Thu, 2008-07-24 at 15:23 -0400, Toby Bluhm wrote:
> Having problems starting httpd & portmapper
>
> #service httpd start
> /usr/sbin/httpd: error while loading shared libraries: libm.so.6: cannot
> open shared object file: No such file or directory
>
> and I traced it to selinux, which I had just turned on for the first time:
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount:/selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file:targeted
>
> I can
>
> #setsebool -P httpd_disable_trans on
>
> and httpd starts - but there's zero enforcing now as I understand it.
>
> Further digging & I get to:
>
> # cat /var/log/audit/audit.log | audit2allow -m local
>
> module local 1.0;
>
> require {
> type portmap_t;
> type httpd_t;
> type file_t;
> class lnk_file read;
> class file { getattr read execute };
> }
>
> #= httpd_t ==
> allow httpd_t file_t:file { read getattr execute };
> allow httpd_t file_t:lnk_file read;
>
> #= portmap_t ==
> allow portmap_t file_t:file { read getattr execute };
> allow portmap_t file_t:lnk_file read;
>
>
> Other stuff like postfix, postgrey, amavisd are working fine since
> turning selinux on.
>
> Before I make a mess of things with trying to make a new policy,
> shouldn't two basic services like portmap & httpd already be allowed to
> run out of the box by selinux?
>
> If not, am I going down the right path to get it working?
if you just turned selinux on after running the computer with it
disabled, you really need to relabel the entire filesystem, which does
take some time. The reason is that files have been installed/created
without the appropriate contexts and relabeling fixes that.
Suggest that you make sure you are fully updated, then
'touch /.autorelabel' then reboot (reboot at a time you choose because
it may take a long time to relabel every file on your system -
especially if you have a lot of files).
Craig
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
[CentOS] selinux & httpd & portmap
Having problems starting httpd & portmapper
#service httpd start
/usr/sbin/httpd: error while loading shared libraries: libm.so.6: cannot
open shared object file: No such file or directory
and I traced it to selinux, which I had just turned on for the first time:
# sestatus
SELinux status: enabled
SELinuxfs mount:/selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file:targeted
I can
#setsebool -P httpd_disable_trans on
and httpd starts - but there's zero enforcing now as I understand it.
Further digging & I get to:
# cat /var/log/audit/audit.log | audit2allow -m local
module local 1.0;
require {
type portmap_t;
type httpd_t;
type file_t;
class lnk_file read;
class file { getattr read execute };
}
#= httpd_t ==
allow httpd_t file_t:file { read getattr execute };
allow httpd_t file_t:lnk_file read;
#= portmap_t ==
allow portmap_t file_t:file { read getattr execute };
allow portmap_t file_t:lnk_file read;
Other stuff like postfix, postgrey, amavisd are working fine since
turning selinux on.
Before I make a mess of things with trying to make a new policy,
shouldn't two basic services like portmap & httpd already be allowed to
run out of the box by selinux?
If not, am I going down the right path to get it working?
Thanks
--
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240 ext203
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
