I successfully - or so it seems - convinced a box to work in enforcing mode, but as of today I still see these error messages whenever postfix is started:
Mar 29 17:33:35 pizza kernel: audit(1080603215.577:0): avc: denied { write } for pid=5102 exe=/usr/sbin/postalias name=aliases.db dev=sda3 ino=245461 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:postfix_etc_t tclass=file Mar 29 17:33:36 pizza kernel: audit(1080603216.592:0): avc: denied { search } for pid=5103 exe=/bin/bash dev= ino=1 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:devpts_t tclass=dir Mar 29 17:33:36 pizza kernel: audit(1080603216.597:0): avc: denied { execute } for pid=5104 exe=/bin/bash name=master dev=sda3 ino=1407396 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t tclass=file
Does this ring a bell? As far as I can tell, all contexts are properly set. To play safe, I even removed and reinstalled the postfix RPM. The system has all the latest Raw Hide packages.
Rudi
On Tue, 30 Mar 2004 09:42, Rudi Chiarito nutello@sweetness.com wrote:
I successfully - or so it seems - convinced a box to work in enforcing mode, but as of today I still see these error messages whenever postfix is started:
Mar 29 17:33:35 pizza kernel: audit(1080603215.577:0): avc: denied { write } for pid=5102 exe=/usr/sbin/postalias name=aliases.db dev=sda3 ino=245461 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:postfix_etc_t tclass=file Mar 29 17:33:36 pizza kernel: audit(1080603216.592:0): avc: denied { search } for pid=5103 exe=/bin/bash dev= ino=1 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:devpts_t tclass=dir
Add the following to postfix.te: allow postfix_master_t postfix_etc_t:file rw_file_perms; allow postfix_master_t devpts_t:dir search;
Mar 29 17:33:36 pizza kernel: audit(1080603216.597:0): avc: denied { execute } for pid=5104 exe=/bin/bash name=master dev=sda3 ino=1407396 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t tclass=file
What is this "master" file? Please run "find / -inum 1407396" and tell me what it reports.
On Tue, Mar 30, 2004 at 07:55:24PM +1100, Russell Coker wrote:
What is this "master" file? Please run "find / -inum 1407396" and tell me what it reports.
"master" is one of the subprograms that make up postfix. They all reside in /usr/libexec/postfix and at the moment have a system_u:object_r:lib_t context.
With your fix, I still get the name=master message, plus these two:
Mar 30 05:56:15 pizza kernel: audit(1080647775.335:0): avc: denied { getattr } for pid=2310 exe=/usr/sbin/postalias path=/dev/pts/2 dev= ino=4 scontext=root:system_r:postfix_master_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file Mar 30 05:56:15 pizza kernel: audit(1080647775.381:0): avc: denied { execute_no_trans } for pid=2312 exe=/bin/bash path=/usr/libexec/postfix/master dev=sda3 ino=1407394 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t tclass=file
Thank you very much for your help, Rudi
On Tue, 2004-03-30 at 03:55, Russell Coker wrote:
Add the following to postfix.te: allow postfix_master_t postfix_etc_t:file rw_file_perms;
Is that truly what you want, i.e. allowing it to rewrite any file with that type? Should the aliases.db file be moved into a separate type, so that only it needs to be writable?
allow postfix_master_t devpts_t:dir search;
Mar 29 17:33:36 pizza kernel: audit(1080603216.597:0): avc: denied { execute } for pid=5104 exe=/bin/bash name=master dev=sda3 ino=1407396 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t tclass=file
What is this "master" file? Please run "find / -inum 1407396" and tell me what it reports.
Even better, boot with audit=1 so that the supplementary audit records will report the pathname passed to the system call.
Hi All!
I have a problem trying to log on with SELinux enforced.
Every time i'm typing a user name and password it prompts:
'Would you like to enter a security context? [y]'
This does not seem to be a proper behavior as in such case i cannot login from the graphic login screen at all. It always returns an error saying something like: 'Cannot load a default context'.
The system was upgraded from FC1 to FC2test. Then the following line was added to the /etc/security/selinux/src/policy/users file
user testuser roles { user_r };
Policy was rebuilt and reloaded as well as all files in the system were relabeled.
I also ran the following line
/usr/sbin/setfiles /etc/security/selinux/file_contexts /home
as suggested.
Can anybody point me in the right direction? What am i doing wrong? Any help, comments would be greatly appreciated.
Best regards, Igor.
You need to relabel the entire system if you are doing an upgrade.
make -c /etc/security/selinux/src/policy relabel
Igor N. Kolomiyets wrote:
Hi All!
I have a problem trying to log on with SELinux enforced.
Every time i'm typing a user name and password it prompts:
'Would you like to enter a security context? [y]'
This does not seem to be a proper behavior as in such case i cannot login from the graphic login screen at all. It always returns an error saying something like: 'Cannot load a default context'.
The system was upgraded from FC1 to FC2test. Then the following line was added to the /etc/security/selinux/src/policy/users file
user testuser roles { user_r };
Policy was rebuilt and reloaded as well as all files in the system were relabeled.
I also ran the following line
/usr/sbin/setfiles /etc/security/selinux/file_contexts /home
as suggested.
Can anybody point me in the right direction? What am i doing wrong? Any help, comments would be greatly appreciated.
Best regards, Igor.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org