On 11/29/2009 08:44 PM, Roland Roberts wrote:
On 11/29/2009 05:11 AM, Sandro Janke wrote:
> Actually, you don't need to have any of the setroubleshoot packages
> installed to get AVC messages logged. What you need is auditd running
> and it will log AVC messages to /var/log/audit/audit.log
>
> With setroubleshoot-server installed you can watch the logged
> messages using:
>
> # sealert -a /var/log/audit/audit.log
>
> The output will be long and in the style of setroubleshoot browser,
> so take your measures.
>
> Another tool - from the audit package - that can prove very useful is
> ausearch. It will search the audit logs for messages matching the
> given criteria.
But I'm not getting any messages there. And changing enforcing mode
fixes the problem, so it seems like it has to be SELinux, but with no
log, I can't figure out what rule needs to be changed.
At the suggestion of Daniel Walsh, I ran
semodule -DB
then restarted dovecot and got my messages. I've used those to create
policy, but can't load it.
I've configured dovecot to use a local socket connection to postgres.
Here is what I for SELinux:
grep 'Dec 2.*dovecot-auth' /var/log/messages| audit2allow -m local >
local.te
328 root> cat local.te
module local 1.0;
require {
type dovecot_auth_t;
type unlabeled_t;
type postgresql_tmp_t;
class sock_file write;
class unix_stream_socket read;
}
#============= dovecot_auth_t ==============
allow dovecot_auth_t postgresql_tmp_t:sock_file write;
#============= unlabeled_t ==============
allow unlabeled_t self:unix_stream_socket read;
329 root> make -f /usr/share/selinux/devel/Makefile local.pp
Compiling targeted local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to
tmp/local.mod
Creating targeted local.pp policy package
rm tmp/local.mod.fc tmp/local.mod
330 root> semodule -i local.pp
libsepol.print_missing_requirements: local's global requirements were
not met: type/attribute dovecot_auth_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
I'm at a loss on what to do here. Suggestions on why it would tell me this?
roland
--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland(a)rlenter.com 6818 Madeline Court
roland(a)astrofoto.org Brooklyn, NY 11220