-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/14/2013 10:45 AM, Timothy Murphy wrote:
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> On 11/14/2013 09:24 AM, Timothy Murphy wrote:
>> Miroslav Grepl wrote:
>>
>>>> New article on
opensource.com describing SELinux enforcement in
>>>> simple terms. Check it out.
>>>>
>>>>
http://opensource.com/business/13/11/selinux-policy-guide
>>
>>> I believe it is a great introduction to SELinux.
>>
>> I liked this.
>>
>> I also liked the video <
http://www.youtube.com/watch?v=MxjenQ31b70>
>> with accompanying slides at
>>
<
http://people.redhat.com/tcameron/summit2010/selinux/SELinuxMereMortals.p...;.
>>
>>
I thought I'd try to move from SELinux permissive mode following the
>> advice in this video and slides.
>>
>> The main problem I met was following sealert advice of the form
>> ----------------------------- If you want to allow perl to have search
>> access on the tim directory Then you need to change the label on
>> /home/tim Do # semanage fcontext -a -t FILE_TYPE '/home/tim' where
>> FILE_TYPE is one of the following: etc_t, proc_t, sysfs_t,
...
>> devpts_t, var_t, user_home_dir_t, cluster_conf_t, var_t, var_t.
>> -----------------------------
>>
>
> Yes those ones are tough, basically the system is trying to expand the
> list of file types that the application is allowed to write. In this
> case it expanded a little too large.
>
> What was the AVC that caused this?
I gave the command [root@grover tim]# sealert -a /var/log/audit/audit.log
which was mentioned in the video I cited, and the above was one of many
suggestions that were made.
The response started with 11 AVC's, which all concerned the same file, this
being a sample:
**** Invalid AVC allowed in current policy ***
type=AVC msg=audit(1330438567.88:108452): avc: denied { getattr } for
pid=2567 comm="config" path="/etc/dovecot/dovecot.conf" dev=sdb10
ino=3392618 scontext=unconfined_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
found 11 alerts in /var/log/audit/audit.log
Then there was a much longer portion going over different files, giving
terse advice of what to do in many cases, but also vague advice of the kind
above in other cases.
Looks like you had a mislabeled file in /etc. Did it suggest restorecon as
its #1 option?
restorecon -R -v /etc/dovecot
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlKFC1MACgkQrlYvE4MpobPv2wCgsdzQMkmpTn007vzS+S3jWDJL
3YYAoIcE1caLvg08ofkvzUg4x3VULovC
=im0Q
-----END PGP SIGNATURE-----