The audit.log should contain more detail than is being provided here,
if it is a unix socket you should see the path, i suspect it is the
unix socket not the tcp sockets (pop3/imap)
On 30 Apr 2009, at 4:50 PM, Dan Roberts wrote:
Ok, but how?
There appear to be a lot of different options when employing
audit2allow and I am reluctant to start blazing away trying
different elements. I am missing the details of what socket an dhow
the execution is occuring so that I can begin to develop the proper
audit2allow sequence.
On Apr 30, 2009, at 8:43 AM, Andrew Colin Kissa wrote:
Hi
Dovecot is trying to open a socket, and procmail is trying to
execute spamc, You should be able to fix these issues using
audit2allow.
Andrew.
On 30 Apr 2009, at 4:07 PM, Dan Roberts wrote:
Following a hard drive corruption I have reinstalled the latest
version of CentOS and all current patch files.
For most applications I selected the default options. By doing
this I expected that the packages would play nice with one another
and I could customize as necessary.
Setting SELinux to enforce I encountered all sorts of problems -
but most were resolvable, save for Dovecot, Procmail (for spamc),
and an odd one with Apache.
Given that these were all installed with the CentOS install
defaults, I can't believe I am the only one with these issues but
finding a solution has not been self evident. Hoping someone here
can help.
For Dovecot I get the following:
SELinux is preventing dovecot (dovecot_t) "create" to <Unknown>
(dovecot_t). For complete SELinux messages. run sealert -l
e1b070ab-586a-4c5a-befe-b6a46b9ab992
For procmail I get the following:
SELinux is preventing procmail (procmail_t) "execute" to ./spamc
(spamc_exec_t). For complete SELinux messages. run sealert -l
0a554689-4948-4edf-9964-dddbfe6a2492
SELinux is preventing sh (procmail_t) "read" to ./spamc
(spamc_exec_t). For complete SELinux messages. run sealert -l
1f1ebd83-412d-4e93-a36f-6f3d34c663df
For Apache it's even more strange - When started I get:
Syntax error on line 283 of /etc/httpd/conf/httpd.conf
DocumentRoot must be directory
But it is a directory, has the correct permissions and I have even
run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to
correct the problem. I run a virtual server too, and in trying to
find a fix for this that may be a problem - but first things first.
All the other issues I had I could resolve when I ran the
specified "sealert" tag and followed the suggested instructions -
but those above don't budge. When I go to the fedora.redhat.com/
docs/selinux-fq-fc5 site to take on making a local policy module I
am quickly getting lost . The option to simply disable SElinux
with respect to Apache, Dovecote or anything else is suggested -
but not something I see in the GUI window, and I have not figured
out how to do it from the command line.
Again, because these are default packages, I hope that someone
else knows how to resolve these.
With respect to the to reports from SELinux regarding Dovecot and
promail, here is a bit more info:
The info and Raw Audit message for dovecot_t is:
Source Context system_u:system_r:dovecot_t:s0
Target Context system_u:system_r:dovecot_t:s0
Target Objects None [ socket ]
Source dovecot
Source Path /usr/sbin/dovecot
Port <Unknown>
Host trailrunner
Source RPM Packages dovecot-1.0.7-7.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name trailrunner
Platform Linux trailrunner
2.6.18-128.1.6.el5xen #1 SMP Wed
Apr 1 10:38:05 EDT 2009 i686 athlon
Alert Count 2
First Seen Wed Apr 29 15:39:51 2009
Last Seen Wed Apr 29 15:47:31 2009
Local ID e1b070ab-586a-4c5a-befe-b6a46b9ab992
Line Numbers
Raw Audit Messages
host=trailrunner type=AVC msg=audit(1241041651.976:33): avc:
denied { create } for pid=3884 comm="dovecot"
scontext=system_u:system_r:dovecot_t:s0
tcontext=system_u:system_r:dovecot_t:s0 tclass=socket
host=trailrunner type=SYSCALL msg=audit(1241041651.976:33):
arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070
a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot"
subj=system_u:system_r:dovecot_t:s0 key=(null)
The Raw Audit Message for Procmail is:
Source Context system_u:system_r:procmail_t:s0
Target Context system_u:object_r:spamc_exec_t:s0
Target Objects ./spamc [ file ]
Source procmail
Source Path /usr/bin/procmail
Port <Unknown>
Host trailrunner
Source RPM Packages procmail-3.22-17.1.el5.centos
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name trailrunner
Platform Linux trailrunner
2.6.18-128.1.6.el5xen #1 SMP Wed
Apr 1 10:38:05 EDT 2009 i686 athlon
Alert Count 29
First Seen Wed Apr 29 15:40:40 2009
Last Seen Wed Apr 29 16:25:40 2009
Local ID 0a554689-4948-4edf-9964-dddbfe6a2492
Line Numbers
Raw Audit Messages
host=trailrunner type=AVC msg=audit(1241043940.918:166): avc:
denied { execute } for pid=3344 comm="procmail" name="spamc"
dev=dm-0 ino=18762675 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=trailrunner type=SYSCALL msg=audit(1241043940.918:166):
arch=40000003 syscall=11 success=no exit=-13 a0=8ef1d90 a1=8ef1020
a2=8ef32d8 a3=1 items=0 ppid=3343 pid=3344 auid=4294967295 uid=0
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)
ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
subj=system_u:system_r:procmail_t:s0 key=(null)
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
