F19-mailserver & selinux complains

Daniel J Walsh dwalsh at redhat.com
Wed Jun 5 13:41:40 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/05/2013 01:59 AM, Cristian Sava wrote:
> On Tue, 2013-06-04 at 11:40 -0400, Daniel J Walsh wrote:
>> On 06/04/2013 05:06 AM, Cristian Sava wrote:
>>> I am trying to activate selinux for my mailserver. It is F19 
>>> postfix_courier_amavisd-new_clamav_squirrelmail install in a virtual 
>>> environment. All needed is stock or was packaged on F19 (rpmbuild -ta
>>> ... / rpmbuild -ba ...) and all is working fine (selinux disabled). No
>>> tar.gz directly installed. I am trying to fix things one by one. Any
>>> advice is welcome. When receiving a message selinux complain
>>> (permissive):
>>> 
>>> SELinux is preventing /usr/sbin/courierlogger from getattr access on
>>> the file /var/spool/authdaemon/pid.
>>> 
>>> *****  Plugin catchall (100. confidence) suggests 
>>> ***************************
>>> 
>>> If you believe that courierlogger should be allowed getattr access on
>>> the pid file by default. Then you should report this as a bug. You can
>>> generate a local policy module to allow this access. Do allow this
>>> access for now by executing: # grep courierlogger
>>> /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
>>> 
>>> Additional Information: Source Context 
>>> system_u:system_r:courier_authdaemon_t:s0 Target Context 
>>> system_u:object_r:courier_spool_t:s0 Target Objects 
>>> /var/spool/authdaemon/pid [ file ] Source courierlogger Source Path
>>> /usr/sbin/courierlogger Port <Unknown> Host
>>> s198.domain.xx Source RPM Packages courier-authlib-0.65.0-1.fc19.x86_64
>>> Target RPM Packages courier-authlib-0.65.0-1.fc19.x86_64 Policy RPM 
>>> selinux-policy-3.12.1-47.fc19.noarch Selinux Enabled               True
>>>  Policy Type                   targeted Enforcing Mode Permissive Host
>>> Name                     s198.domain.xx Platform Linux s198.domain.xx
>>> 3.9.4-300.fc19.x86_64 #1 SMP Fri May 24 22:17:06 UTC 2013 x86_64 x86_64
>>> Alert Count                   7 First Seen 2013-05-30 16:35:05 EEST
>>> Last Seen                     2013-06-04 11:30:02 EEST Local ID
>>> 469bd394-ddfb-454b-89e0-5ea40c2cf36b
>>> 
>>> Raw Audit Messages type=AVC msg=audit(1370334602.277:26): avc:  denied
>>> { getattr } for pid=461 comm="courierlogger"
>>> path="/var/spool/authdaemon/pid" dev="dm-1" ino=1193281
>>> scontext=system_u:system_r:courier_authdaemon_t:s0 
>>> tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
>>> 
>>> 
>>> type=SYSCALL msg=audit(1370334602.277:26): arch=x86_64 syscall=fstat 
>>> success=yes exit=0 a0=3 a1=7fffc612b9d0 a2=7fffc612b9d0 a3=4 items=0
>>> ppid=1 pid=461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=courierlogger 
>>> exe=/usr/sbin/courierlogger
>>> subj=system_u:system_r:courier_authdaemon_t:s0 key=(null)
>>> 
>>> Hash: courierlogger,courier_authdaemon_t,courier_spool_t,file,getattr
>>> 
>>> [cristi at s198 ~]$ getsebool -a | grep " on" auditadm_exec_content --> on
>>>  domain_fd_use --> on fips_mode --> on global_ssp --> on 
>>> gluster_export_all_rw --> on gssd_read_tmp --> on guest_exec_content
>>> --> on httpd_builtin_scripting --> on httpd_can_network_connect --> on
>>>  httpd_can_network_connect_db --> on httpd_enable_cgi --> on 
>>> httpd_enable_homedirs --> on httpd_graceful_shutdown --> on 
>>> httpd_mod_auth_pam --> on httpd_sys_script_anon_write --> on
>>> httpd_use_gpg --> on kerberos_enabled --> on
>>> logging_syslogd_can_sendmail --> on login_console_enabled --> on
>>> mcelog_exec_scripts --> on mount_anyfile --> on nfs_export_all_ro -->
>>> on nfs_export_all_rw --> on nscd_use_shm --> on openvpn_enable_homedirs
>>> --> on postfix_local_write_mail_spool --> on 
>>> postgresql_selinux_unconfined_dbadm --> on postgresql_selinux_users_ddl
>>> --> on privoxy_connect_any --> on saslauthd_read_shadow --> on 
>>> secadm_exec_content --> on selinuxuser_direct_dri_enabled --> on 
>>> selinuxuser_execmod --> on selinuxuser_execstack --> on 
>>> selinuxuser_mysql_connect_enabled --> on selinuxuser_ping --> on 
>>> selinuxuser_rw_noexattrfile --> on selinuxuser_tcp_server --> on 
>>> spamassassin_can_network --> on spamd_enable_home_dirs --> on 
>>> squid_connect_any --> on staff_exec_content --> on sysadm_exec_content
>>> --> on telepathy_tcp_connect_generic_network_ports --> on 
>>> unconfined_chrome_sandbox_transition --> on unconfined_login --> on 
>>> unconfined_mozilla_plugin_transition --> on user_exec_content --> on 
>>> virt_use_usb --> on xend_run_blktap --> on xend_run_qemu --> on 
>>> xguest_connect_network --> on xguest_exec_content --> on
>>> xguest_mount_media --> on xguest_use_bluetooth --> on [cristi at s198 ~]$
>>> 
>>> Do I miss something obvious?
>>> 
>>> C. Sava
>>> 
>>> 
>> Why is courier storing pid files in /var/spool/authdaemon/pid?
>> 
>> Current policy allows courier_authdaemon to create sock_files in this 
>> directory but not regular files.
>> 
>> 
> That is beyond of me, but I think there may be a reason and I don't find 
> complains for it on forums. I think that it just have to work, with and
> without selinux, it's the administrator's choice (without the need to
> compile modules and so on, only an option needed). Courier is too well
> known to be ignored and it is not something very special beast.
> 
> C. Sava
> 
> 
> 
> 
> 
Anyways Crhitian, I have added the allow rules to the base policy to allow
this.  You can do this for now  by executing

# grep courier /var/log/audit/audit.log | audit2allow -M mycourier
# semodule -i mycourier.pp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGvQBQACgkQrlYvE4MpobOObgCgopB2FdvcJCDLwmzV8x8DhHmI
/JUAoNGh9k8ijLJFgSh+9dFZIZqW1flC
=vOEX
-----END PGP SIGNATURE-----

More information about the test mailing list