Getting module_request errors from SELinux. Errors being thrown by metacity sendmail.postfix cleanup trivial-rewarite local postdrop pickup
All errors are essentially the same
System was working well until I began to apply some basic security hardening configuration.
Postfix started complaining when I made /tmp noexec, nodev, nosuid, and then did a mount --bind of /var/tmp under /tmp.
Backed that out the remount of /var/tmp and those errors went away. But then these errors started showing up.
Here is an example of a postfix pickup error. What is going on? I could allow the module to load, but I want to understand what is going on and the dangers of making the mod before I do it.
SELinux is preventing /usr/libexec/postfix/pickup from module_request access on the system Unknown.
***** Plugin catchall_boolean (89.3 confidence) suggests *******************
If you want to allow all domains to have the kernel load modules Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean. Do setsebool -P domain_kernel_load_modules 1
***** Plugin catchall (11.6 confidence) suggests ***************************
If you believe that pickup should be allowed module_request access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pickup /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:postfix_pickup_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source pickup Source Path /usr/libexec/postfix/pickup Port <Unknown> Host desk.localdomain Source RPM Packages postfix-2.6.6-2.2.el6_1 Target RPM Packages Policy RPM selinux-policy-3.7.19-126.el6_2.10 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name desk.localdomain Platform Linux desk.localdomain 2.6.32-220.13.1.el6.x86_64 #1 SMP Tue Apr 17 23:56:34 BST 2012 x86_64 x86_64 Alert Count 24 First Seen Fri 27 Apr 2012 02:46:55 PM MDT Last Seen Sun 29 Apr 2012 05:10:32 AM MDT Local ID 4b8e5292-93f1-4e69-8bb4-4ea70bc5232e
Raw Audit Messages type=AVC msg=audit(1335697832.612:34911): avc: denied { module_request } for pid=24226 comm="pickup" kmod="net-pf-10" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1335697832.612:34911): arch=x86_64 syscall=socket success=no exit=EAFNOSUPPORT a0=a a1=1 a2=0 a3=7fff3ca82190 items=0 ppid=1925 pid=24226 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pickup exe=/usr/libexec/postfix/pickup subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
Hash: pickup,postfix_pickup_t,kernel_t,system,module_request
audit2allow
#============= postfix_pickup_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow postfix_pickup_t kernel_t:system module_request;
audit2allow -R
#============= postfix_pickup_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow postfix_pickup_t kernel_t:system module_request;
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/29/2012 10:53 PM, David McGuffey wrote:
Getting module_request errors from SELinux. Errors being thrown by metacity sendmail.postfix cleanup trivial-rewarite local postdrop pickup
All errors are essentially the same
System was working well until I began to apply some basic security hardening configuration.
Postfix started complaining when I made /tmp noexec, nodev, nosuid, and then did a mount --bind of /var/tmp under /tmp.
Backed that out the remount of /var/tmp and those errors went away. But then these errors started showing up.
Here is an example of a postfix pickup error. What is going on? I could allow the module to load, but I want to understand what is going on and the dangers of making the mod before I do it.
SELinux is preventing /usr/libexec/postfix/pickup from module_request access on the system Unknown.
***** Plugin catchall_boolean (89.3 confidence) suggests
If you want to allow all domains to have the kernel load modules Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean. Do setsebool -P domain_kernel_load_modules 1
***** Plugin catchall (11.6 confidence) suggests
If you believe that pickup should be allowed module_request access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pickup /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:postfix_pickup_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source pickup Source Path /usr/libexec/postfix/pickup Port <Unknown> Host desk.localdomain Source RPM Packages postfix-2.6.6-2.2.el6_1 Target RPM Packages Policy RPM selinux-policy-3.7.19-126.el6_2.10 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name desk.localdomain Platform Linux desk.localdomain 2.6.32-220.13.1.el6.x86_64 #1 SMP Tue Apr 17 23:56:34 BST 2012 x86_64 x86_64 Alert Count 24 First Seen Fri 27 Apr 2012 02:46:55 PM MDT Last Seen Sun 29 Apr 2012 05:10:32 AM MDT Local ID 4b8e5292-93f1-4e69-8bb4-4ea70bc5232e
Raw Audit Messages type=AVC msg=audit(1335697832.612:34911): avc: denied { module_request } for pid=24226 comm="pickup" kmod="net-pf-10" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1335697832.612:34911): arch=x86_64 syscall=socket success=no exit=EAFNOSUPPORT a0=a a1=1 a2=0 a3=7fff3ca82190 items=0 ppid=1925 pid=24226 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pickup exe=/usr/libexec/postfix/pickup subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
Hash: pickup,postfix_pickup_t,kernel_t,system,module_request
audit2allow
#============= postfix_pickup_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow postfix_pickup_t kernel_t:system module_request;
audit2allow -R
#============= postfix_pickup_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow postfix_pickup_t kernel_t:system module_request;
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
These are caused because you disabled IPV6.
http://danwalsh.livejournal.com/47118.html
On Mon, Apr 30, 2012 at 10:15 AM, Daniel J Walsh dwalsh@redhat.com wrote:
These are caused because you disabled IPV6.
That note about HowTo disable IPV6 is in the CentOS FAQ:
http://wiki.centos.org/FAQ/CentOS6#head-d47139912868bcb9d754441ecb6a8a10d417...
As described in there, there is a potential issue with X forwarding. Possible workarounds are also given.
Akemi