5:42 p.m.
I successfully - or so it seems - convinced a box to work in enforcing
mode, but as of today I still see these error messages whenever postfix
is started:
Mar 29 17:33:35 pizza kernel: audit(1080603215.577:0): avc: denied {
write } for pid=5102 exe=/usr/sbin/postalias name=aliases.db dev=sda3
ino=245461 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:postfix_etc_t tclass=file
Mar 29 17:33:36 pizza kernel: audit(1080603216.592:0): avc: denied {
search } for pid=5103 exe=/bin/bash dev= ino=1
scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:devpts_t tclass=dir
Mar 29 17:33:36 pizza kernel: audit(1080603216.597:0): avc: denied {
execute } for pid=5104 exe=/bin/bash name=master dev=sda3 ino=1407396
scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t
tclass=file
Does this ring a bell? As far as I can tell, all contexts are properly
set. To play safe, I even removed and reinstalled the postfix RPM. The
system has all the latest Raw Hide packages.
Rudi
2:55 a.m.
On Tue, 30 Mar 2004 09:42, Rudi Chiarito <nutello(a)sweetness.com> wrote:
I successfully - or so it seems - convinced a box to work in
enforcing
mode, but as of today I still see these error messages whenever postfix
is started:
Mar 29 17:33:35 pizza kernel: audit(1080603215.577:0): avc: denied {
write } for pid=5102 exe=/usr/sbin/postalias name=aliases.db dev=sda3
ino=245461 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:postfix_etc_t tclass=file
Mar 29 17:33:36 pizza kernel: audit(1080603216.592:0): avc: denied {
search } for pid=5103 exe=/bin/bash dev= ino=1
scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:devpts_t tclass=dir
Add the following to postfix.te:
allow postfix_master_t postfix_etc_t:file rw_file_perms;
allow postfix_master_t devpts_t:dir search;
Mar 29 17:33:36 pizza kernel: audit(1080603216.597:0): avc: denied
{
execute } for pid=5104 exe=/bin/bash name=master dev=sda3 ino=1407396
scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t
tclass=file
What is this "master" file? Please run "find / -inum 1407396" and
tell me
what it reports.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
6:21 a.m.
On Tue, Mar 30, 2004 at 07:55:24PM +1100, Russell Coker wrote:
What is this "master" file? Please run "find / -inum
1407396" and tell me
what it reports.
"master" is one of the subprograms that make up postfix. They all reside
in /usr/libexec/postfix and at the moment have a system_u:object_r:lib_t
context.
With your fix, I still get the name=master message, plus these two:
Mar 30 05:56:15 pizza kernel: audit(1080647775.335:0): avc: denied {
getattr } for pid=2310 exe=/usr/sbin/postalias path=/dev/pts/2 dev=
ino=4 scontext=root:system_r:postfix_master_t
tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Mar 30 05:56:15 pizza kernel: audit(1080647775.381:0): avc: denied {
execute_no_trans } for pid=2312 exe=/bin/bash
path=/usr/libexec/postfix/master dev=sda3 ino=1407394
scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t
tclass=file
Thank you very much for your help,
Rudi
7:11 a.m.
On Tue, 2004-03-30 at 03:55, Russell Coker wrote:
Add the following to postfix.te:
allow postfix_master_t postfix_etc_t:file rw_file_perms;
Is that truly what you want, i.e. allowing it to rewrite any file with
that type? Should the aliases.db file be moved into a separate type, so
that only it needs to be writable?
allow postfix_master_t devpts_t:dir search;
> Mar 29 17:33:36 pizza kernel: audit(1080603216.597:0): avc: denied {
> execute } for pid=5104 exe=/bin/bash name=master dev=sda3 ino=1407396
> scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t
> tclass=file
What is this "master" file? Please run "find / -inum 1407396" and
tell me
what it reports.
Even better, boot with audit=1 so that the supplementary audit records
will report the pathname passed to the system call.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
3:21 a.m.
New subject: Cannot login with SELinux tuned on
Hi All!
I have a problem trying to log on with SELinux enforced.
Every time i'm typing a user name and password it prompts:
'Would you like to enter a security context? [y]'
This does not seem to be a proper behavior as in such case i cannot
login from the graphic login screen at all. It always returns an error
saying something like: 'Cannot load a default context'.
The system was upgraded from FC1 to FC2test. Then the following line was
added to the /etc/security/selinux/src/policy/users file
user testuser roles { user_r };
Policy was rebuilt and reloaded as well as all files in the system were
relabeled.
I also ran the following line
/usr/sbin/setfiles /etc/security/selinux/file_contexts /home
as suggested.
Can anybody point me in the right direction? What am i doing wrong? Any
help, comments would be greatly appreciated.
Best regards,
Igor.
11:10 a.m.
New subject: Cannot login with SELinux tuned on
You need to relabel the entire system if you are doing an upgrade.
make -c /etc/security/selinux/src/policy relabel
Igor N. Kolomiyets wrote:
Hi All!
I have a problem trying to log on with SELinux enforced.
Every time i'm typing a user name and password it prompts:
'Would you like to enter a security context? [y]'
This does not seem to be a proper behavior as in such case i cannot
login from the graphic login screen at all. It always returns an error
saying something like: 'Cannot load a default context'.
The system was upgraded from FC1 to FC2test. Then the following line
was added to the /etc/security/selinux/src/policy/users file
user testuser roles { user_r };
Policy was rebuilt and reloaded as well as all files in the system
were relabeled.
I also ran the following line
/usr/sbin/setfiles /etc/security/selinux/file_contexts /home
as suggested.
Can anybody point me in the right direction? What am i doing wrong?
Any help, comments would be greatly appreciated.
Best regards,
Igor.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
7323
days inactive
7326
days old
selinux@lists.fedoraproject.org
5 comments
5 participants
participants (5)
-
Daniel J Walsh -
Igor N. Kolomiyets -
Rudi Chiarito -
Russell Coker -
Stephen Smalley