[Bug 480129] Error at calling service amavisd restart when SELinux is in enforce mode
bugzilla at redhat.com
bugzilla at redhat.com
Sat Mar 31 22:36:16 UTC 2012
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=480129
Erik M Jacobs <ejacobs at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Release| |---
--- Comment #6 from Erik M Jacobs <ejacobs at redhat.com> 2012-03-31 18:36:12 EDT ---
OK, think I spoke too soon. Here's the latest situation:
[root at atlas /etc/puppet]$ rpm -qa | grep selinux-policy
selinux-policy-targeted-2.4.6-327.el5
selinux-policy-2.4.6-327.el5
[root at atlas /etc/puppet]$ getenforce
Permissive
[root at atlas /etc/puppet]$ service amavisd restart
Shutting down amavisd: Daemon [3230] terminated by SIGTERM
[ OK ]
amavisd stopped
Starting amavisd: [ OK ]
In this configuration, nothing gets logged to the audit log (yes, permissive).
If we switch to enforcing:
[root at atlas /etc/puppet]$ setenforce 1
[root at atlas /etc/puppet]$ getenforce
Enforcing
[root at atlas /etc/puppet]$ service amavisd restart
Shutting down amavisd: Error: /proc must be mounted
To mount /proc at boot you need an /etc/fstab line like:
/proc /proc proc defaults
In the meantime, run "mount /proc /proc -t proc"
Daemon [3286] terminated by SIGTERM
[ OK ]
amavisd stopped
Starting amavisd: [ OK ]
SELinux is definitely doing something naughty. Apparently there are some
things that default policies set to not audit:
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/9234
Disabling the dontaudit and going to permissive:
[root at atlas /etc/puppet]$ semodule -DB
[root at atlas /etc/puppet]$ setenforce 0
[root at atlas /etc/puppet]$ getenforce
Permissive
[root at atlas /etc/puppet]$ service amavisd restart
Shutting down amavisd: Daemon [3315] terminated by SIGTERM
[ OK ]
amavisd stopped
Starting amavisd: [ OK ]
[root at atlas /etc/puppet]$ date
Sat Mar 31 22:33:06 GMT 2012
[root at atlas /etc/puppet]$ ausearch -m avc -ts 22:33 | audit2allow
#============= amavis_t ==============
allow amavis_t proc_t:file read;
allow amavis_t security_t:dir search;
allow amavis_t security_t:file read;
allow amavis_t selinux_config_t:dir search;
allow amavis_t selinux_config_t:file { read getattr };
allow amavis_t shadow_t:file { read getattr };
allow amavis_t user_home_dir_t:dir search;
This looks good I guess. But this module won't compile and install:
[root at atlas ~]$ ausearch -m avc -ts 22:33 | audit2allow -M amavisd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i amavisd.pp
[root at atlas ~]$ cat amavisd.te
module amavisd 1.0;
require {
type amavis_t;
type security_t;
type proc_t;
type user_home_dir_t;
type selinux_config_t;
type shadow_t;
class file { read getattr };
class dir search;
}
#============= amavis_t ==============
allow amavis_t proc_t:file read;
allow amavis_t security_t:dir search;
allow amavis_t security_t:file read;
allow amavis_t selinux_config_t:dir search;
allow amavis_t selinux_config_t:file { read getattr };
allow amavis_t shadow_t:file { read getattr };
allow amavis_t user_home_dir_t:dir search;
[root at atlas ~]$ semodule -i amavisd.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow amavis_t
shadow_t:file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
So I'm at a loss as to actually how to generate a policy here that will work.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the perl-devel
mailing list