Re: selinux preventing access to directory net
On Tue, 18 Jul 2017 10:42:06 +0200, David Sommersethwrote: >On 17/07/17 20:15, Stephen Isard wrote: >> On two SL7.3 systems where I have set exim as my mta alternative, I am >> getting a lot of entries in /var/log/messages saying "SELinux is >> preventing /usr/bin/exim from search access on the directory net", with >> the usual accompanying "if you believe that exim should be allowed..." >> stuff, but the logs don't explain what call to exim triggered the messages. >> >> Sealert -l tells me >> >> Raw Audit Messages >> type=AVC msg=audit(1500313603.937:268): avc: denied { search } for >> pid=3097 comm="exim" name="net" dev="proc" ino=7154 >> scontext=system_u:system_r:exim_t:s0 >> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir >> >> type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open >> success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 >> ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 >> egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim >> exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) >> >> which doesn't seem to be much help. >> >> Searches turn up two Centos 7 reports, >> https://bugs.centos.org/view.php?id=13247 and >> https://bugs.centos.org/view.php?id=12913 that look as if they might be >> the same thing with different mta alternatives, but no response to either. > >Yes, this is exim trying to read some files in /proc/sys/net, starting >with scanning the directory. I'd suggest reporting this as an bug in >the Red Hat bug tracker, file it under selinux-policy component - that >team should be able to figure out if this is a bug or not. My quick >search there didn't turn up anything in particular. I followed your suggestion (https://bugzilla.redhat.com/show_bug.cgi?id=1472432) and got a comment from mma...@redhat.com that it looks the same as BZ#141, but I don't have permission to view that.
Re: selinux preventing access to directory net
On Tue, 18 Jul 2017 17:03:40 +0100, Andrew C Aitchisonwrote: >On Tue, 18 Jul 2017, Stephen Isard wrote: > >> On Mon, 17 Jul 2017 23:52:22 +0200, Maarten >> wrote: >> >>> The process exim running with the the selinux context exim_t is trying >>> to access the directory /proc/net which has the selinux context >>> sysctl_net_t. >>> >>> Causing selinux to block access to directory, because the source context >>> is different from the destination context. >> >> Yes, thank you, I've got that part. As I said earlier, what I am wondering >> now is why exim is trying to search that directory, and whether I want it to. >> It happens at - to me - unpredictable times, apparently unrelated to any >> messages being sent or received. > >Looking at the upstream source for exim 4.89, there are two lots of >references to /proc >1) /proc/loadavg >2) /proc/net/if_inet6 >unsuprisingly exim uses these to determine load average and >IPv6 address etc... > >I don't know whether the binary rpms add any other uses of /proc >- which version of exim are you using - the one from epel ? Yes, it is exim 4.89-1.el7 from epel.
Re: selinux preventing access to directory net
On Tue, 18 Jul 2017, Stephen Isard wrote: On Mon, 17 Jul 2017 23:52:22 +0200, Maartenwrote: The process exim running with the the selinux context exim_t is trying to access the directory /proc/net which has the selinux context sysctl_net_t. Causing selinux to block access to directory, because the source context is different from the destination context. Yes, thank you, I've got that part. As I said earlier, what I am wondering now is why exim is trying to search that directory, and whether I want it to. It happens at - to me - unpredictable times, apparently unrelated to any messages being sent or received. Looking at the upstream source for exim 4.89, there are two lots of references to /proc 1) /proc/loadavg 2) /proc/net/if_inet6 unsuprisingly exim uses these to determine load average and IPv6 address etc... I don't know whether the binary rpms add any other uses of /proc - which version of exim are you using - the one from epel ? -- Andrew C Aitchison Cambridge, UK
Re: selinux preventing access to directory net
On Tue, 18 Jul 2017 10:42:06 +0200, David Sommersethwrote: >On 17/07/17 20:15, Stephen Isard wrote: >> On two SL7.3 systems where I have set exim as my mta alternative, I am >> getting a lot of entries in /var/log/messages saying "SELinux is >> preventing /usr/bin/exim from search access on the directory net", with >> the usual accompanying "if you believe that exim should be allowed..." >> stuff, but the logs don't explain what call to exim triggered the messages. >> >> Sealert -l tells me >> >> Raw Audit Messages >> type=AVC msg=audit(1500313603.937:268): avc: denied { search } for >> pid=3097 comm="exim" name="net" dev="proc" ino=7154 >> scontext=system_u:system_r:exim_t:s0 >> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir >> >> type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open >> success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 >> ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 >> egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim >> exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) >> >> which doesn't seem to be much help. >> >> Searches turn up two Centos 7 reports, >> https://bugs.centos.org/view.php?id=13247 and >> https://bugs.centos.org/view.php?id=12913 that look as if they might be >> the same thing with different mta alternatives, but no response to either. > >Yes, this is exim trying to read some files in /proc/sys/net, starting >with scanning the directory. I'd suggest reporting this as an bug in >the Red Hat bug tracker, file it under selinux-policy component - that >team should be able to figure out if this is a bug or not. My quick >search there didn't turn up anything in particular. Thanks for that advice. I was hesitating to report it to a bug tracker partly because I didn't know which category was appropriate and partly because I don't know what is triggering the scans or how to make one happen.
Re: selinux preventing access to directory net
On Mon, 17 Jul 2017 23:52:22 +0200, Maartenwrote: >The process exim running with the the selinux context exim_t is trying >to access the directory /proc/net which has the selinux context >sysctl_net_t. > >Causing selinux to block access to directory, because the source context >is different from the destination context. Yes, thank you, I've got that part. As I said earlier, what I am wondering now is why exim is trying to search that directory, and whether I want it to. It happens at - to me - unpredictable times, apparently unrelated to any messages being sent or received. > Redhat has a package that >updates > >all the active selinux policies on the system, I think it is >selinux-policy-targeted they update the policies every now they update >the selinux policies. I would > >think they make policies for everything from the base repos. Exim is >from epel en so is the nrpe package(which I'm getting the selinux >messages from). I don't know > >how selinux policies are managed for packages outside of the base repos. >That's probably why there are multiple ways to manage selinux with >custom policies, booleans, and selinux contexts etc. Maybe someone else >knows how selinux policies for packages in third party repos are >managed? Does that help? > >Cheers, > >Maarten > > >On 07/17/2017 11:02 PM, Stephen Isard wrote: >> On Mon, 17 Jul 2017 21:33:29 +0200, Maarten >> wrote: >> >>> Wel is exim able to do what it is supposed to do as an >>> mta(transfer/transport mail) with selinux blocking this? If not you >>> could create a custom selinux policy for it. If it is able to do what is >>> supposed to and you aren't running into any unwanted results you can >>> just leave it. >> Indeed, but I would still prefer to understand what is going on. >> >>> I got selinux blocking access to /proc/sys on a couple of >>> nagios checks via nrpe but it's not preventing the checks from working. >>> >>> You could probably try to create it by doing something like this if exim >>> is not able to do it's job by selinux blocking it: >>> >>> ausearch -c 'exim' --raw |audit2allow -M mypol >>> >>> then: semodule -i mypol.pp >>> >>> >>> >>> On 07/17/2017 09:09 PM, Stephen Isard wrote: On Mon, 17 Jul 2017 20:22:05 +0200, Maarten wrote: > You could use audit to allow to see what you need to allow it: > > cat /var/log/audit/audit.log | audit2allow. Thanks, that helps. The log entry recommends ausearch -c 'exim' --raw |audit2allow, so I've tried that and got libsepol.sepol_string_to_security_class: unrecognized class dir #== exim_t == allow exim_t sysctl_net_t:dir search; /proc/sys/net, as opposed to /proc/net, is of type sysctl_net_t, so that may be where exim is trying to search. If so, the question is then why, and do I want it to. > This output my advise you to enable a certain boolean instead of > creating your own policy or changing the selinux context on a certain > dir structure. > > And then create your own selinux policy: > > cat /var/log/audit/audit.log | audit2allow -M mypol > > then install the policy via semodule -i mypol.pp > > > On 07/17/2017 08:15 PM, Stephen Isard wrote: >> On two SL7.3 systems where I have set exim as my mta alternative, I am >> getting a lot of entries in /var/log/messages saying "SELinux is >> preventing /usr/bin/exim from search access on the directory net", >> with the usual accompanying "if you believe that exim should be >> allowed..." stuff, but the logs don't explain what call to exim >> triggered the messages. >> >> Sealert -l tells me >> >> Raw Audit Messages >> type=AVC msg=audit(1500313603.937:268): avc: denied { search } for >> pid=3097 comm="exim" name="net" dev="proc" ino=7154 >> scontext=system_u:system_r:exim_t:s0 >> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir >> >> type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open >> success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 >> ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 >> egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim >> exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) >> >> which doesn't seem to be much help. >> >> Searches turn up two Centos 7 reports, >> https://bugs.centos.org/view.php?id=13247 and >> https://bugs.centos.org/view.php?id=12913 that look as if they might >> be the same thing with different mta alternatives, but no response to >> either. >> >> All that the mta is supposed to be doing on these systems is reporting >> the output of cron jobs, and that appears to be happening correctly, >> so I am puzzled as to what this is about. I'm not even
Re: selinux preventing access to directory net
On 17/07/17 20:15, Stephen Isard wrote: > On two SL7.3 systems where I have set exim as my mta alternative, I am > getting a lot of entries in /var/log/messages saying "SELinux is > preventing /usr/bin/exim from search access on the directory net", with > the usual accompanying "if you believe that exim should be allowed..." > stuff, but the logs don't explain what call to exim triggered the messages. > > Sealert -l tells me > > Raw Audit Messages > type=AVC msg=audit(1500313603.937:268): avc: denied { search } for > pid=3097 comm="exim" name="net" dev="proc" ino=7154 > scontext=system_u:system_r:exim_t:s0 > tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir > > type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open > success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 > ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 > egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim > exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) > > which doesn't seem to be much help. > > Searches turn up two Centos 7 reports, > https://bugs.centos.org/view.php?id=13247 and > https://bugs.centos.org/view.php?id=12913 that look as if they might be > the same thing with different mta alternatives, but no response to either. Yes, this is exim trying to read some files in /proc/sys/net, starting with scanning the directory. I'd suggest reporting this as an bug in the Red Hat bug tracker, file it under selinux-policy component - that team should be able to figure out if this is a bug or not. My quick search there didn't turn up anything in particular. -- kind regards, David Sommerseth
Re: selinux preventing access to directory net
The process exim running with the the selinux context exim_t is trying to access the directory /proc/net which has the selinux context sysctl_net_t. Causing selinux to block access to directory, because the source context is different from the destination context. Redhat has a package that updates all the active selinux policies on the system, I think it is selinux-policy-targeted they update the policies every now they update the selinux policies. I would think they make policies for everything from the base repos. Exim is from epel en so is the nrpe package(which I'm getting the selinux messages from). I don't know how selinux policies are managed for packages outside of the base repos. That's probably why there are multiple ways to manage selinux with custom policies, booleans, and selinux contexts etc. Maybe someone else knows how selinux policies for packages in third party repos are managed? Does that help? Cheers, Maarten On 07/17/2017 11:02 PM, Stephen Isard wrote: > On Mon, 17 Jul 2017 21:33:29 +0200, Maarten> wrote: > >> Wel is exim able to do what it is supposed to do as an >> mta(transfer/transport mail) with selinux blocking this? If not you >> could create a custom selinux policy for it. If it is able to do what is >> supposed to and you aren't running into any unwanted results you can >> just leave it. > Indeed, but I would still prefer to understand what is going on. > >> I got selinux blocking access to /proc/sys on a couple of >> nagios checks via nrpe but it's not preventing the checks from working. >> >> You could probably try to create it by doing something like this if exim >> is not able to do it's job by selinux blocking it: >> >> ausearch -c 'exim' --raw |audit2allow -M mypol >> >> then: semodule -i mypol.pp >> >> >> >> On 07/17/2017 09:09 PM, Stephen Isard wrote: >>> On Mon, 17 Jul 2017 20:22:05 +0200, Maarten >>> wrote: >>> You could use audit to allow to see what you need to allow it: cat /var/log/audit/audit.log | audit2allow. >>> Thanks, that helps. The log entry recommends >>> ausearch -c 'exim' --raw |audit2allow, so I've tried that and got >>> >>> libsepol.sepol_string_to_security_class: unrecognized class dir >>> >>> #== exim_t == >>> allow exim_t sysctl_net_t:dir search; >>> >>> /proc/sys/net, as opposed to /proc/net, is of type sysctl_net_t, so that >>> may be where exim is trying to search. >>> If so, the question is then why, and do I want it to. >>> >>> This output my advise you to enable a certain boolean instead of creating your own policy or changing the selinux context on a certain dir structure. And then create your own selinux policy: cat /var/log/audit/audit.log | audit2allow -M mypol then install the policy via semodule -i mypol.pp On 07/17/2017 08:15 PM, Stephen Isard wrote: > On two SL7.3 systems where I have set exim as my mta alternative, I am > getting a lot of entries in /var/log/messages saying "SELinux is > preventing /usr/bin/exim from search access on the directory net", > with the usual accompanying "if you believe that exim should be > allowed..." stuff, but the logs don't explain what call to exim > triggered the messages. > > Sealert -l tells me > > Raw Audit Messages > type=AVC msg=audit(1500313603.937:268): avc: denied { search } for > pid=3097 comm="exim" name="net" dev="proc" ino=7154 > scontext=system_u:system_r:exim_t:s0 > tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir > > type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open > success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 > ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 > egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim > exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) > > which doesn't seem to be much help. > > Searches turn up two Centos 7 reports, > https://bugs.centos.org/view.php?id=13247 and > https://bugs.centos.org/view.php?id=12913 that look as if they might > be the same thing with different mta alternatives, but no response to > either. > > All that the mta is supposed to be doing on these systems is reporting > the output of cron jobs, and that appears to be happening correctly, > so I am puzzled as to what this is about. I'm not even sure what net > directory is being referred to. /proc/net? Does an mta need to look > in that directory? I can send mail internally, to and from my local > user and root, and that doesn't provoke selinux messages in the logs. > > Any suggestions for where to look? > > Thanks, > > Stephen Isard
Re: selinux preventing access to directory net
On Mon, 17 Jul 2017 21:33:29 +0200, Maartenwrote: >Wel is exim able to do what it is supposed to do as an >mta(transfer/transport mail) with selinux blocking this? If not you >could create a custom selinux policy for it. If it is able to do what is >supposed to and you aren't running into any unwanted results you can >just leave it. Indeed, but I would still prefer to understand what is going on. >I got selinux blocking access to /proc/sys on a couple of >nagios checks via nrpe but it's not preventing the checks from working. > >You could probably try to create it by doing something like this if exim >is not able to do it's job by selinux blocking it: > >ausearch -c 'exim' --raw |audit2allow -M mypol > >then: semodule -i mypol.pp > > > >On 07/17/2017 09:09 PM, Stephen Isard wrote: >> On Mon, 17 Jul 2017 20:22:05 +0200, Maarten >> wrote: >> >>> You could use audit to allow to see what you need to allow it: >>> >>> cat /var/log/audit/audit.log | audit2allow. >> Thanks, that helps. The log entry recommends >> ausearch -c 'exim' --raw |audit2allow, so I've tried that and got >> >> libsepol.sepol_string_to_security_class: unrecognized class dir >> >> #== exim_t == >> allow exim_t sysctl_net_t:dir search; >> >> /proc/sys/net, as opposed to /proc/net, is of type sysctl_net_t, so that may >> be where exim is trying to search. >> If so, the question is then why, and do I want it to. >> >> >>> This output my advise you to enable a certain boolean instead of >>> creating your own policy or changing the selinux context on a certain >>> dir structure. >>> >>> And then create your own selinux policy: >>> >>> cat /var/log/audit/audit.log | audit2allow -M mypol >>> >>> then install the policy via semodule -i mypol.pp >>> >>> >>> On 07/17/2017 08:15 PM, Stephen Isard wrote: On two SL7.3 systems where I have set exim as my mta alternative, I am getting a lot of entries in /var/log/messages saying "SELinux is preventing /usr/bin/exim from search access on the directory net", with the usual accompanying "if you believe that exim should be allowed..." stuff, but the logs don't explain what call to exim triggered the messages. Sealert -l tells me Raw Audit Messages type=AVC msg=audit(1500313603.937:268): avc: denied { search } for pid=3097 comm="exim" name="net" dev="proc" ino=7154 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) which doesn't seem to be much help. Searches turn up two Centos 7 reports, https://bugs.centos.org/view.php?id=13247 and https://bugs.centos.org/view.php?id=12913 that look as if they might be the same thing with different mta alternatives, but no response to either. All that the mta is supposed to be doing on these systems is reporting the output of cron jobs, and that appears to be happening correctly, so I am puzzled as to what this is about. I'm not even sure what net directory is being referred to. /proc/net? Does an mta need to look in that directory? I can send mail internally, to and from my local user and root, and that doesn't provoke selinux messages in the logs. Any suggestions for where to look? Thanks, Stephen Isard
Re: selinux preventing access to directory net
Wel is exim able to do what it is supposed to do as an mta(transfer/transport mail) with selinux blocking this? If not you could create a custom selinux policy for it. If it is able to do what is supposed to and you aren't running into any unwanted results you can just leave it. I got selinux blocking access to /proc/sys on a couple of nagios checks via nrpe but it's not preventing the checks from working. You could probably try to create it by doing something like this if exim is not able to do it's job by selinux blocking it: ausearch -c 'exim' --raw |audit2allow -M mypol then: semodule -i mypol.pp On 07/17/2017 09:09 PM, Stephen Isard wrote: > On Mon, 17 Jul 2017 20:22:05 +0200, Maarten> wrote: > >> You could use audit to allow to see what you need to allow it: >> >> cat /var/log/audit/audit.log | audit2allow. > Thanks, that helps. The log entry recommends > ausearch -c 'exim' --raw |audit2allow, so I've tried that and got > > libsepol.sepol_string_to_security_class: unrecognized class dir > > #== exim_t == > allow exim_t sysctl_net_t:dir search; > > /proc/sys/net, as opposed to /proc/net, is of type sysctl_net_t, so that may > be where exim is trying to search. > If so, the question is then why, and do I want it to. > > >> This output my advise you to enable a certain boolean instead of >> creating your own policy or changing the selinux context on a certain >> dir structure. >> >> And then create your own selinux policy: >> >> cat /var/log/audit/audit.log | audit2allow -M mypol >> >> then install the policy via semodule -i mypol.pp >> >> >> On 07/17/2017 08:15 PM, Stephen Isard wrote: >>> On two SL7.3 systems where I have set exim as my mta alternative, I am >>> getting a lot of entries in /var/log/messages saying "SELinux is >>> preventing /usr/bin/exim from search access on the directory net", >>> with the usual accompanying "if you believe that exim should be >>> allowed..." stuff, but the logs don't explain what call to exim >>> triggered the messages. >>> >>> Sealert -l tells me >>> >>> Raw Audit Messages >>> type=AVC msg=audit(1500313603.937:268): avc: denied { search } for >>> pid=3097 comm="exim" name="net" dev="proc" ino=7154 >>> scontext=system_u:system_r:exim_t:s0 >>> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir >>> >>> type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open >>> success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 >>> ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 >>> egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim >>> exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) >>> >>> which doesn't seem to be much help. >>> >>> Searches turn up two Centos 7 reports, >>> https://bugs.centos.org/view.php?id=13247 and >>> https://bugs.centos.org/view.php?id=12913 that look as if they might >>> be the same thing with different mta alternatives, but no response to >>> either. >>> >>> All that the mta is supposed to be doing on these systems is reporting >>> the output of cron jobs, and that appears to be happening correctly, >>> so I am puzzled as to what this is about. I'm not even sure what net >>> directory is being referred to. /proc/net? Does an mta need to look >>> in that directory? I can send mail internally, to and from my local >>> user and root, and that doesn't provoke selinux messages in the logs. >>> >>> Any suggestions for where to look? >>> >>> Thanks, >>> >>> Stephen Isard
Re: selinux preventing access to directory net
On Mon, 17 Jul 2017 20:22:05 +0200, Maartenwrote: >You could use audit to allow to see what you need to allow it: > >cat /var/log/audit/audit.log | audit2allow. Thanks, that helps. The log entry recommends ausearch -c 'exim' --raw |audit2allow, so I've tried that and got libsepol.sepol_string_to_security_class: unrecognized class dir #== exim_t == allow exim_t sysctl_net_t:dir search; /proc/sys/net, as opposed to /proc/net, is of type sysctl_net_t, so that may be where exim is trying to search. If so, the question is then why, and do I want it to. > >This output my advise you to enable a certain boolean instead of >creating your own policy or changing the selinux context on a certain >dir structure. > >And then create your own selinux policy: > >cat /var/log/audit/audit.log | audit2allow -M mypol > >then install the policy via semodule -i mypol.pp > > >On 07/17/2017 08:15 PM, Stephen Isard wrote: >> On two SL7.3 systems where I have set exim as my mta alternative, I am >> getting a lot of entries in /var/log/messages saying "SELinux is >> preventing /usr/bin/exim from search access on the directory net", >> with the usual accompanying "if you believe that exim should be >> allowed..." stuff, but the logs don't explain what call to exim >> triggered the messages. >> >> Sealert -l tells me >> >> Raw Audit Messages >> type=AVC msg=audit(1500313603.937:268): avc: denied { search } for >> pid=3097 comm="exim" name="net" dev="proc" ino=7154 >> scontext=system_u:system_r:exim_t:s0 >> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir >> >> type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open >> success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 >> ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 >> egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim >> exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) >> >> which doesn't seem to be much help. >> >> Searches turn up two Centos 7 reports, >> https://bugs.centos.org/view.php?id=13247 and >> https://bugs.centos.org/view.php?id=12913 that look as if they might >> be the same thing with different mta alternatives, but no response to >> either. >> >> All that the mta is supposed to be doing on these systems is reporting >> the output of cron jobs, and that appears to be happening correctly, >> so I am puzzled as to what this is about. I'm not even sure what net >> directory is being referred to. /proc/net? Does an mta need to look >> in that directory? I can send mail internally, to and from my local >> user and root, and that doesn't provoke selinux messages in the logs. >> >> Any suggestions for where to look? >> >> Thanks, >> >> Stephen Isard
Re: selinux preventing access to directory net
I think he maybe meant audit2allow? Which you would need this package for: policycoreutils-python On 07/17/2017 08:39 PM, Stephen Isard wrote: > Thanks, but I can't find audit2text in the sl7 or epel repositories. > "yum search audit2text" and "yum provides '*/audit2text'" both come up > blank. Can you tell me where to get it? > > On Mon, 17 Jul 2017, Paul Robert Marino prmarino1-at-gmail.com > |Scientific Linux| wrote: > >> It looks like you may be right that it's /proc/net >> >> Have you tried using the python audit tools such as audit2text to >> analyze them they can make it a lot easier to understand what's going >> on, though they usually don't tell you if there is a bool you can >> flip to fix it. >> That tool still needs to be written :) >> Original Message >> From: 7p03xy...@sneakemail.com >> Sent: July 17, 2017 2:16 PM >> To: scientific-linux-us...@listserv.fnal.gov >> Subject: selinux preventing access to directory net >> >> On two SL7.3 systems where I have set exim as my mta alternative, I >> am getting a lot of entries in /var/log/messages saying "SELinux is >> preventing /usr/bin/exim from search access on the directory net", >> with the usual accompanying "if you believe that exim should be >> allowed..." stuff, but the logs don't explain what call to exim >> triggered the messages. >> >> Sealert -l tells me >> >> Raw Audit Messages >> type=AVC msg=audit(1500313603.937:268): avc: denied { search } for >> pid=3097 comm="exim" name="net" dev="proc" ino=7154 >> scontext=system_u:system_r:exim_t:s0 >> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir >> >> type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open >> success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 >> ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 >> egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim >> exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) >> >> which doesn't seem to be much help. >> >> Searches turn up two Centos 7 reports, >> https://bugs.centos.org/view.php?id=13247 and >> https://bugs.centos.org/view.php?id=12913 that look as if they might >> be the same thing with different mta alternatives, but no response to >> either. >> >> All that the mta is supposed to be doing on these systems is >> reporting the output of cron jobs, and that appears to be happening >> correctly, so I am puzzled as to what this is about. I'm not even >> sure what net directory is being referred to. /proc/net? Does an >> mta need to look in that directory? I can send mail internally, to >> and from my local user and root, and that doesn't provoke selinux >> messages in the logs. >> >> Any suggestions for where to look? >> >> Thanks, >> >> Stephen Isard
Re: selinux preventing access to directory net
Thanks, but I can't find audit2text in the sl7 or epel repositories. "yum search audit2text" and "yum provides '*/audit2text'" both come up blank. Can you tell me where to get it? On Mon, 17 Jul 2017, Paul Robert Marino prmarino1-at-gmail.com |Scientific Linux| wrote: It looks like you may be right that it's /proc/net Have you tried using the python audit tools such as audit2text to analyze them they can make it a lot easier to understand what's going on, though they usually don't tell you if there is a bool you can flip to fix it. That tool still needs to be written :) Original Message From: 7p03xy...@sneakemail.com Sent: July 17, 2017 2:16 PM To: scientific-linux-us...@listserv.fnal.gov Subject: selinux preventing access to directory net On two SL7.3 systems where I have set exim as my mta alternative, I am getting a lot of entries in /var/log/messages saying "SELinux is preventing /usr/bin/exim from search access on the directory net", with the usual accompanying "if you believe that exim should be allowed..." stuff, but the logs don't explain what call to exim triggered the messages. Sealert -l tells me Raw Audit Messages type=AVC msg=audit(1500313603.937:268): avc: denied { search } for pid=3097 comm="exim" name="net" dev="proc" ino=7154 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) which doesn't seem to be much help. Searches turn up two Centos 7 reports, https://bugs.centos.org/view.php?id=13247 and https://bugs.centos.org/view.php?id=12913 that look as if they might be the same thing with different mta alternatives, but no response to either. All that the mta is supposed to be doing on these systems is reporting the output of cron jobs, and that appears to be happening correctly, so I am puzzled as to what this is about. I'm not even sure what net directory is being referred to. /proc/net? Does an mta need to look in that directory? I can send mail internally, to and from my local user and root, and that doesn't provoke selinux messages in the logs. Any suggestions for where to look? Thanks, Stephen Isard
Re: selinux preventing access to directory net
You could use audit to allow to see what you need to allow it: cat /var/log/audit/audit.log | audit2allow. This output my advise you to enable a certain boolean instead of creating your own policy or changing the selinux context on a certain dir structure. And then create your own selinux policy: cat /var/log/audit/audit.log | audit2allow -M mypol then install the policy via semodule -i mypol.pp On 07/17/2017 08:15 PM, Stephen Isard wrote: > On two SL7.3 systems where I have set exim as my mta alternative, I am > getting a lot of entries in /var/log/messages saying "SELinux is > preventing /usr/bin/exim from search access on the directory net", > with the usual accompanying "if you believe that exim should be > allowed..." stuff, but the logs don't explain what call to exim > triggered the messages. > > Sealert -l tells me > > Raw Audit Messages > type=AVC msg=audit(1500313603.937:268): avc: denied { search } for > pid=3097 comm="exim" name="net" dev="proc" ino=7154 > scontext=system_u:system_r:exim_t:s0 > tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir > > type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open > success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 > ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 > egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim > exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) > > which doesn't seem to be much help. > > Searches turn up two Centos 7 reports, > https://bugs.centos.org/view.php?id=13247 and > https://bugs.centos.org/view.php?id=12913 that look as if they might > be the same thing with different mta alternatives, but no response to > either. > > All that the mta is supposed to be doing on these systems is reporting > the output of cron jobs, and that appears to be happening correctly, > so I am puzzled as to what this is about. I'm not even sure what net > directory is being referred to. /proc/net? Does an mta need to look > in that directory? I can send mail internally, to and from my local > user and root, and that doesn't provoke selinux messages in the logs. > > Any suggestions for where to look? > > Thanks, > > Stephen Isard
Re: selinux preventing access to directory net
It looks like you may be right that it's /proc/net Have you tried using the python audit tools such as audit2text to analyze them they can make it a lot easier to understand what's going on, though they usually don't tell you if there is a bool you can flip to fix it. That tool still needs to be written :) Original Message From: 7p03xy...@sneakemail.com Sent: July 17, 2017 2:16 PM To: scientific-linux-us...@listserv.fnal.gov Subject: selinux preventing access to directory net On two SL7.3 systems where I have set exim as my mta alternative, I am getting a lot of entries in /var/log/messages saying "SELinux is preventing /usr/bin/exim from search access on the directory net", with the usual accompanying "if you believe that exim should be allowed..." stuff, but the logs don't explain what call to exim triggered the messages. Sealert -l tells me Raw Audit Messages type=AVC msg=audit(1500313603.937:268): avc: denied { search } for pid=3097 comm="exim" name="net" dev="proc" ino=7154 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) which doesn't seem to be much help. Searches turn up two Centos 7 reports, https://bugs.centos.org/view.php?id=13247 and https://bugs.centos.org/view.php?id=12913 that look as if they might be the same thing with different mta alternatives, but no response to either. All that the mta is supposed to be doing on these systems is reporting the output of cron jobs, and that appears to be happening correctly, so I am puzzled as to what this is about. I'm not even sure what net directory is being referred to. /proc/net? Does an mta need to look in that directory? I can send mail internally, to and from my local user and root, and that doesn't provoke selinux messages in the logs. Any suggestions for where to look? Thanks, Stephen Isard
selinux preventing access to directory net
On two SL7.3 systems where I have set exim as my mta alternative, I am getting a lot of entries in /var/log/messages saying "SELinux is preventing /usr/bin/exim from search access on the directory net", with the usual accompanying "if you believe that exim should be allowed..." stuff, but the logs don't explain what call to exim triggered the messages. Sealert -l tells me Raw Audit Messages type=AVC msg=audit(1500313603.937:268): avc: denied { search } for pid=3097 comm="exim" name="net" dev="proc" ino=7154 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) which doesn't seem to be much help. Searches turn up two Centos 7 reports, https://bugs.centos.org/view.php?id=13247 and https://bugs.centos.org/view.php?id=12913 that look as if they might be the same thing with different mta alternatives, but no response to either. All that the mta is supposed to be doing on these systems is reporting the output of cron jobs, and that appears to be happening correctly, so I am puzzled as to what this is about. I'm not even sure what net directory is being referred to. /proc/net? Does an mta need to look in that directory? I can send mail internally, to and from my local user and root, and that doesn't provoke selinux messages in the logs. Any suggestions for where to look? Thanks, Stephen Isard