F19-mailserver & selinux complains

Daniel J Walsh dwalsh at redhat.com
Tue Jun 4 15:40:08 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/04/2013 05:06 AM, Cristian Sava wrote:
> I am trying to activate selinux for my mailserver. It is F19
> postfix_courier_amavisd-new_clamav_squirrelmail install in a virtual
> environment. All needed is stock or was packaged on F19 (rpmbuild -ta ... /
> rpmbuild -ba ...) and all is working fine (selinux disabled). No tar.gz
> directly installed. I am trying to fix things one by one. Any advice is
> welcome. When receiving a message selinux complain (permissive):
> 
> SELinux is preventing /usr/sbin/courierlogger from getattr access on the 
> file /var/spool/authdaemon/pid.
> 
> *****  Plugin catchall (100. confidence) suggests 
> ***************************
> 
> If you believe that courierlogger should be allowed getattr access on the
> pid file by default. Then you should report this as a bug. You can generate
> a local policy module to allow this access. Do allow this access for now by
> executing: # grep courierlogger /var/log/audit/audit.log | audit2allow -M
> mypol # semodule -i mypol.pp
> 
> Additional Information: Source Context
> system_u:system_r:courier_authdaemon_t:s0 Target Context
> system_u:object_r:courier_spool_t:s0 Target Objects
> /var/spool/authdaemon/pid [ file ] Source
> courierlogger Source Path                   /usr/sbin/courierlogger Port
> <Unknown> Host                          s198.domain.xx Source RPM Packages
> courier-authlib-0.65.0-1.fc19.x86_64 Target RPM Packages
> courier-authlib-0.65.0-1.fc19.x86_64 Policy RPM
> selinux-policy-3.12.1-47.fc19.noarch Selinux Enabled               True 
> Policy Type                   targeted Enforcing Mode
> Permissive Host Name                     s198.domain.xx Platform
> Linux s198.domain.xx 3.9.4-300.fc19.x86_64 #1 SMP Fri May 24 22:17:06 UTC
> 2013 x86_64 x86_64 Alert Count                   7 First Seen
> 2013-05-30 16:35:05 EEST Last Seen                     2013-06-04 11:30:02
> EEST Local ID                      469bd394-ddfb-454b-89e0-5ea40c2cf36b
> 
> Raw Audit Messages type=AVC msg=audit(1370334602.277:26): avc:  denied  {
> getattr } for pid=461 comm="courierlogger" path="/var/spool/authdaemon/pid"
> dev="dm-1" ino=1193281 scontext=system_u:system_r:courier_authdaemon_t:s0 
> tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
> 
> 
> type=SYSCALL msg=audit(1370334602.277:26): arch=x86_64 syscall=fstat 
> success=yes exit=0 a0=3 a1=7fffc612b9d0 a2=7fffc612b9d0 a3=4 items=0 ppid=1
> pid=461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 ses=4294967295 tty=(none) comm=courierlogger 
> exe=/usr/sbin/courierlogger subj=system_u:system_r:courier_authdaemon_t:s0
> key=(null)
> 
> Hash: courierlogger,courier_authdaemon_t,courier_spool_t,file,getattr
> 
> [cristi at s198 ~]$ getsebool -a | grep " on" auditadm_exec_content --> on 
> domain_fd_use --> on fips_mode --> on global_ssp --> on 
> gluster_export_all_rw --> on gssd_read_tmp --> on guest_exec_content -->
> on httpd_builtin_scripting --> on httpd_can_network_connect --> on 
> httpd_can_network_connect_db --> on httpd_enable_cgi --> on 
> httpd_enable_homedirs --> on httpd_graceful_shutdown --> on 
> httpd_mod_auth_pam --> on httpd_sys_script_anon_write --> on httpd_use_gpg
> --> on kerberos_enabled --> on logging_syslogd_can_sendmail --> on 
> login_console_enabled --> on mcelog_exec_scripts --> on mount_anyfile -->
> on nfs_export_all_ro --> on nfs_export_all_rw --> on nscd_use_shm --> on 
> openvpn_enable_homedirs --> on postfix_local_write_mail_spool --> on 
> postgresql_selinux_unconfined_dbadm --> on postgresql_selinux_users_ddl -->
> on privoxy_connect_any --> on saslauthd_read_shadow --> on 
> secadm_exec_content --> on selinuxuser_direct_dri_enabled --> on 
> selinuxuser_execmod --> on selinuxuser_execstack --> on 
> selinuxuser_mysql_connect_enabled --> on selinuxuser_ping --> on 
> selinuxuser_rw_noexattrfile --> on selinuxuser_tcp_server --> on 
> spamassassin_can_network --> on spamd_enable_home_dirs --> on 
> squid_connect_any --> on staff_exec_content --> on sysadm_exec_content -->
> on telepathy_tcp_connect_generic_network_ports --> on 
> unconfined_chrome_sandbox_transition --> on unconfined_login --> on 
> unconfined_mozilla_plugin_transition --> on user_exec_content --> on 
> virt_use_usb --> on xend_run_blktap --> on xend_run_qemu --> on 
> xguest_connect_network --> on xguest_exec_content --> on xguest_mount_media
> --> on xguest_use_bluetooth --> on [cristi at s198 ~]$
> 
> Do I miss something obvious?
> 
> C. Sava
> 
> 
Why is courier storing pid files in /var/spool/authdaemon/pid?

Current policy allows courier_authdaemon to create sock_files in this
directory but not regular files.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGuClgACgkQrlYvE4MpobPe5wCgwcXNlAhf2rsHryipOyxr77nT
TAsAnRNluuZM4+1y/FrZ4fSD85bUkdpf
=VgId
-----END PGP SIGNATURE-----

More information about the test mailing list