Problem with selinux and milter-greylist

Daniel J Walsh dwalsh at redhat.com
Tue May 27 16:58:17 UTC 2014 

On 05/27/2014 12:55 PM, aragonx at dcsnow.com wrote:
>
> Hi,
>
> So I'm trying to get milter-greylist working with
> selinux
> and I seem to have a problem.  It doesn't seem to know
> what
> milter-greylist is trying to access so I can't add a rule to fix
> it. 
> Here is what I see in /var/log/message when I try to run
> systemctl start
> milter-greylist
>
> May 27 12:47:07 dcsnow
> setroubleshoot: SELinux
> is preventing /usr/sbin/milter-greylist from
> remove_name access on the
> directory . For complete SELinux messages.
> run sealert -l
> f008afda-b837-4a7a-ad4e-80562d4ef31c
> May 27
> 12:47:07 dcsnow python:
> SELinux is preventing
> /usr/sbin/milter-greylist from remove_name access on
> the directory
> .
>
> *****Â  Plugin catchall_labels (83.8
> confidence)
> suggests   *******************
>
> If you
> want to
> allow milter-greylist to have remove_name access on the 
> directory
> Then you need to change the label on
> $FIX_TARGET_PATH/>Do
> # semanage fcontext -a -t FILE_TYPE
> '$FIX_TARGET_PATH'/>where FILE_TYPE is one of the following:
> greylist_milter_data_t,
> var_run_t.
> Then execute:
> restorecon
> -v '$FIX_TARGET_PATH'/>
>
> *****Â  Plugin catchall (17.1
> confidence)
> suggests   **************************
>
> If you believe
> that milter-greylist should be allowed remove_name
> access on the 
> directory by default.
> Then you should report
> this as a bug.
> You
> can generate a local policy module to allow
> this access.
> Do/>allow this access for now by executing:
> #
> grep milter-greylist
> /var/log/audit/audit.log | audit2allow -M
> mypol
> # semodule -i
> mypol.pp
>
>
> In audit.log I
> see:
>
> type=AVC
> msg=audit(1401209226.129:1909): avc:Â 
> denied  { remove_name }
> for  pid=8467
> comm="milter-greylist"
> name="milter-greylist.sock" dev="sda6" ino=652403
> scontext=system_u:system_r:greylist_milter_t:s0
> tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
>
> Any ideas
> on
> how I go about finding out what needs to happen here?
>
> Thanks in
> advance for your help.
>
> ---
> Will Y.
>
>
>
Looks like the milter-greylist.sock is mislabeled.  What directory is it
in?  Why isn't it in /run?

More information about the users mailing list