Hi,
So I'm trying to get milter-greylist working with selinux and I seem to have a problem. It doesn't seem to know what milter-greylist is trying to access so I can't add a rule to fix it. Here is what I see in /var/log/message when I try to run systemctl start milter-greylist
May 27 12:47:07 dcsnow setroubleshoot: SELinux is preventing /usr/sbin/milter-greylist from remove_name access on the directory . For complete SELinux messages. run sealert -l f008afda-b837-4a7a-ad4e-80562d4ef31c May 27 12:47:07 dcsnow python: SELinux is preventing /usr/sbin/milter-greylist from remove_name access on the directory .
***** Plugin catchall_labels (83.8 confidence) suggests  *******************
If you want to allow milter-greylist to have remove_name access on the directory Then you need to change the label on $FIX_TARGET_PATH/>Do # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'/>where FILE_TYPE is one of the following: greylist_milter_data_t, var_run_t. Then execute: restorecon -v '$FIX_TARGET_PATH'/>
***** Plugin catchall (17.1 confidence) suggests  **************************
If you believe that milter-greylist should be allowed remove_name access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do/>allow this access for now by executing: # grep milter-greylist /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
In audit.log I see:
type=AVC msg=audit(1401209226.129:1909): avc: denied { remove_name } for pid=8467 comm="milter-greylist" name="milter-greylist.sock" dev="sda6" ino=652403 scontext=system_u:system_r:greylist_milter_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
Any ideas on how I go about finding out what needs to happen here?
Thanks in advance for your help.
--- Will Y.
On 05/27/2014 12:55 PM, aragonx@dcsnow.com wrote:
Hi,
So I'm trying to get milter-greylist working with selinux and I seem to have a problem. It doesn't seem to know what milter-greylist is trying to access so I can't add a rule to fix it. Here is what I see in /var/log/message when I try to run systemctl start milter-greylist
May 27 12:47:07 dcsnow setroubleshoot: SELinux is preventing /usr/sbin/milter-greylist from remove_name access on the directory . For complete SELinux messages. run sealert -l f008afda-b837-4a7a-ad4e-80562d4ef31c May 27 12:47:07 dcsnow python: SELinux is preventing /usr/sbin/milter-greylist from remove_name access on the directory .
***** Plugin catchall_labels (83.8 confidence) suggests  *******************
If you want to allow milter-greylist to have remove_name access on the directory Then you need to change the label on $FIX_TARGET_PATH/>Do # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'/>where FILE_TYPE is one of the following: greylist_milter_data_t, var_run_t. Then execute: restorecon -v '$FIX_TARGET_PATH'/>
***** Plugin catchall (17.1 confidence) suggests  **************************
If you believe that milter-greylist should be allowed remove_name access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do/>allow this access for now by executing: # grep milter-greylist /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
In audit.log I see:
type=AVC msg=audit(1401209226.129:1909): avc: denied { remove_name } for pid=8467 comm="milter-greylist" name="milter-greylist.sock" dev="sda6" ino=652403 scontext=system_u:system_r:greylist_milter_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
Any ideas on how I go about finding out what needs to happen here?
Thanks in advance for your help.
Will Y.
Looks like the milter-greylist.sock is mislabeled. What directory is it in? Why isn't it in /run?
Looks like the milter-greylist.sock is mislabeled. What directory is
it
in? Why isn't it in /run?
Well, see, I was following a guide (probably old) that pointed Sendmail to /var/milter-greylist so I just changed the greylist.conf file instead of changing the semdial.mc file.
Now that you mentioned that, I switched them and it works fine. However, I'm still a bit confused why I was not able to just add a rule to get Selinux to allow the access. It just seemed confused as to what needed done.
--- Will Y.
On 05/27/2014 01:35 PM, aragonx@dcsnow.com wrote:
Looks like the milter-greylist.sock is mislabeled. What directory is it in? Why isn't it in /run?
Well, see, I was following a guide (probably old) that pointed Sendmail to /var/milter-greylist so I just changed the greylist.conf file instead of changing the semdial.mc file.
Now that you mentioned that, I switched them and it works fine. However, I'm still a bit confused why I was not able to just add a rule to get Selinux to allow the access. It just seemed confused as to what needed done.
You could either adjust SELinux or adjust the App. If the app is doing the wrong thing, I would prefer to fix the app.
Will Y.
This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean.
-
Daniel J Walsh -
Will Yonker