[CentOS] Defaults of CentOS Install not working with SELinux

Thu Apr 30 14:07:35 UTC 2009
Dan Roberts <dan at jlazyh.com>

Following a hard drive corruption I have reinstalled the latest  
version of CentOS and all current patch files.

For most applications I selected the default options.  By doing this I  
expected that the packages would play nice with one another and I  
could customize as necessary.

Setting SELinux to enforce I encountered all sorts of problems - but  
most were resolvable, save for Dovecot, Procmail (for spamc), and an  
odd one with Apache.

Given that these were all installed with the CentOS install defaults,  
I can't believe I am the only one with these issues but finding a  
solution has not been self evident.  Hoping someone here can help.

For Dovecot I get the following:
	SELinux is preventing dovecot (dovecot_t) "create" to <Unknown>  
(dovecot_t). For complete SELinux messages. run sealert -l  
e1b070ab-586a-4c5a-befe-b6a46b9ab992

For procmail I get the following:
	SELinux is preventing procmail (procmail_t) "execute" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
0a554689-4948-4edf-9964-dddbfe6a2492
	SELinux is preventing sh (procmail_t) "read" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
1f1ebd83-412d-4e93-a36f-6f3d34c663df

For Apache it's even more strange - When started I get:
	Syntax error on line 283 of /etc/httpd/conf/httpd.conf
	DocumentRoot must be  directory

But it is a directory, has the correct permissions and I have even run  
chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to correct  
the problem.  I run a virtual server too, and in trying to find a fix  
for this that may be a problem - but first things first.

All the other issues I had I could resolve when I ran the specified  
"sealert" tag and followed the suggested instructions - but those  
above don't budge.  When I go to the fedora.redhat.com/docs/selinux-fq- 
fc5 site to take on making a local policy module I am quickly getting  
lost .   The option to simply disable SElinux with respect to Apache,  
Dovecote or anything else is suggested - but not something I see in  
the GUI window, and I have not figured out how to do it from the  
command line.

Again, because these are default packages, I hope that someone else  
knows how to resolve these.

With respect to the to reports from SELinux regarding Dovecot and  
promail, here is a bit more info:

The info and Raw Audit message for dovecot_t is:
	Source Context                system_u:system_r:dovecot_t:s0
	Target Context                system_u:system_r:dovecot_t:s0
	Target Objects                None [ socket ]
	Source                        dovecot
	Source Path                   /usr/sbin/dovecot
	Port                          <Unknown>
	Host                          trailrunner
	Source RPM Packages           dovecot-1.0.7-7.el5
	Target RPM Packages
	Policy RPM                    selinux-policy-2.4.6-203.el5
	Selinux Enabled               True
	Policy Type                   targeted
	MLS Enabled                   True
	Enforcing Mode                Enforcing
	Plugin Name                   catchall
	Host Name                     trailrunner
	Platform                      Linux trailrunner 2.6.18-128.1.6.el5xen  
#1 SMP Wed
	                              Apr 1 10:38:05 EDT 2009 i686 athlon
	Alert Count                   2
	First Seen                    Wed Apr 29 15:39:51 2009
	Last Seen                     Wed Apr 29 15:47:31 2009
	Local ID                      e1b070ab-586a-4c5a-befe-b6a46b9ab992
	Line Numbers

	Raw Audit Messages
	host=trailrunner type=AVC msg=audit(1241041651.976:33): avc:  denied   
{ create } for  pid=3884 comm="dovecot"  
scontext=system_u:system_r:dovecot_t:s0  
tcontext=system_u:system_r:dovecot_t:s0 tclass=socket
	host=trailrunner type=SYSCALL msg=audit(1241041651.976:33):  
arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070  
a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0  
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)  
ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot"  
subj=system_u:system_r:dovecot_t:s0 key=(null)

The Raw Audit Message for Procmail is:
	Source Context                system_u:system_r:procmail_t:s0
	Target Context                system_u:object_r:spamc_exec_t:s0
	Target Objects                ./spamc [ file ]
	Source                        procmail
	Source Path                   /usr/bin/procmail
	Port                          <Unknown>
	Host                          trailrunner
	Source RPM Packages           procmail-3.22-17.1.el5.centos
	Target RPM Packages
	Policy RPM                    selinux-policy-2.4.6-203.el5
	Selinux Enabled               True
	Policy Type                   targeted
	MLS Enabled                   True
	Enforcing Mode                Enforcing
	Plugin Name                   catchall_file
	Host Name                     trailrunner
	Platform                      Linux trailrunner 2.6.18-128.1.6.el5xen  
#1 SMP Wed
		                      Apr 1 10:38:05 EDT 2009 i686 athlon
	Alert Count                   29
	First Seen                    Wed Apr 29 15:40:40 2009
	Last Seen                     Wed Apr 29 16:25:40 2009
	Local ID                      0a554689-4948-4edf-9964-dddbfe6a2492
	Line Numbers

	Raw Audit Messages
	host=trailrunner type=AVC msg=audit(1241043940.918:166): avc:   
denied  { execute } for  pid=3344 comm="procmail" name="spamc"  
dev=dm-0 ino=18762675 scontext=system_u:system_r:procmail_t:s0  
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
	host=trailrunner type=SYSCALL msg=audit(1241043940.918:166):  
arch=40000003 syscall=11 success=no exit=-13 a0=8ef1d90 a1=8ef1020  
a2=8ef32d8 a3=1 items=0 ppid=3343 pid=3344 auid=4294967295 uid=0  
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)  
ses=4294967295 comm="procmail" exe="/usr/bin/procmail"  
subj=system_u:system_r:procmail_t:s0 key=(null)







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20090430/b22466a9/attachment-0004.html>