selinux and udev ?

Nicolas Mailhot nicolas.mailhot at laposte.net
Tue Nov 29 21:18:49 UTC 2005 

Le mardi 29 novembre 2005 à 15:01 -0500, Daniel J Walsh a écrit : 
> Nicolas Mailhot wrote:

> > The udev denial seems fixed with selinux-policy-targeted-2.0.6-1. So
> > things get (slowly) fixed. But most issues are still there :
> >
> > audit2allow < /var/log/audit/audit.log
> > allow dovecot_auth_t var_lib_t:dir search;
> > allow system_chkpwd_t devpts_t:chr_file { read write };
> > allow procmail_t spamd_port_t:tcp_socket name_connect;
> > allow updfstab_t tmpfs_t:dir getattr;
> > allow dovecot_auth_t etc_runtime_t:file read;
> > allow spamd_t port_t:udp_socket name_bind;
> > (this bit is the spamassassin resolver issue Steven Stern just reported
> > for FC4. It was briefly fixed in Rawhide, then regressed to broken stage
> > with the 2.x policy change)
> >
> > (generated on a clean fully relabeled system after 3 min of activity)
> >
> > That's almost the same list I had with selinux-policy-targeted-2.0.0

> selinux-policy-2.0.6-2 should fix most of those.

This one is much better, right. I had to work a little harder to fill my
AVC quota. Now I only get :

# audit2allow < /var/log/audit/audit.log | sort
allow dovecot_auth_t var_auth_t:dir write;
(on-the-fly pam_abl database creation failure, strangely works fine from
ssh)

allow saslauthd_t self:capability setuid;
(should saslauthd be allowed setuid ?)

allow saslauthd_t var_auth_t:dir search;
(more pam_abl stuff)

allow spamd_t port_t:udp_socket name_bind;

Probably related to one of those :

Nov 29 22:08:11 rousalka spamd[2382]: Error creating a DNS resolver
socket: Permission non accordée
at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm
line 202, <GEN5> line 120.
Nov 29 22:08:11 rousalka spamd[2382]: spamd: Error creating a DNS
resolver socket: Permission non accordée
at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm
line 202, <GEN5> line 120.


Nov 29 22:09:38 rousalka spamd[2382]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 50657
Nov 29 22:09:38 rousalka spamd[2382]: spamd: setuid to nim succeeded
Nov 29 22:09:38 rousalka spamd[2382]: spamd: creating
default_prefs: /home/nim/.spamassassin/user_prefs
Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier
existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line
1467
Nov 29 22:09:38 rousalka spamd[2382]: config: cannot write
to /home/nim/.spamassassin/user_prefs: Permission non accordée
Nov 29 22:09:38 rousalka spamd[2382]: spamd: failed to create readable
default_prefs: /home/nim/.spamassassin/user_prefs
Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier
existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line
1467
Nov 29 22:09:38 rousalka spamd[2382]: spamd: checking message
<1133298570.3426.4.camel at rousalka.dyndns.org> for nim:500
Nov 29 22:09:38 rousalka spamd[2382]: internal error
Nov 29 22:09:38 rousalka spamd[2382]: pyzor: check failed: internal
error
Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier
existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line
1467
Nov 29 22:09:38 rousalka spamd[2382]: locker: safe_lock: cannot create
tmp
lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2382 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
Nov 29 22:09:38 rousalka spamd[2382]: auto-whitelist: open of
auto-whitelist file failed: locker: safe_lock: cannot create tmp
lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2382 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
Nov 29 22:09:38 rousalka spamd[2382]: Can't call method "finish" on an
undefined value
at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/Plugin/AWL.pm line
397.
Nov 29 22:09:38 rousalka spamd[2382]: bayes: locker: safe_lock: cannot
create tmp
lockfile /home/nim/.spamassassin/bayes.lock.rousalka.dyndns.org.2382
for /home/nim/.spamassassin/bayes.lock: Permission non accordée

allow system_chkpwd_t devpts_t:chr_file { read write };
(this one is pam-related - may be serious)

allow updfstab_t tmpfs_t:dir getattr;
(fstab-sync is blocked)

Regards,

-- 
Nicolas Mailhot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20051129/ff9edc82/attachment.bin

More information about the selinux mailing list