Following a hard drive corruption I have reinstalled the latest version of CentOS and all current patch files.
For most applications I selected the default options. By doing this I expected that the packages would play nice with one another and I could customize as necessary.
Setting SELinux to enforce I encountered all sorts of problems - but most were resolvable, save for Dovecot, Procmail (for spamc), and an odd one with Apache.
Given that these were all installed with the CentOS install defaults, I can't believe I am the only one with these issues but finding a solution has not been self evident. Hoping someone here can help.
For Dovecot I get the following: SELinux is preventing dovecot (dovecot_t) "create" to <Unknown> (dovecot_t). For complete SELinux messages. run sealert -l e1b070ab-586a-4c5a-befe-b6a46b9ab992
For procmail I get the following: SELinux is preventing procmail (procmail_t) "execute" to ./spamc (spamc_exec_t). For complete SELinux messages. run sealert -l 0a554689-4948-4edf-9964-dddbfe6a2492 SELinux is preventing sh (procmail_t) "read" to ./spamc (spamc_exec_t). For complete SELinux messages. run sealert -l 1f1ebd83-412d-4e93-a36f-6f3d34c663df
For Apache it's even more strange - When started I get: Syntax error on line 283 of /etc/httpd/conf/httpd.conf DocumentRoot must be directory
But it is a directory, has the correct permissions and I have even run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to correct the problem. I run a virtual server too, and in trying to find a fix for this that may be a problem - but first things first.
All the other issues I had I could resolve when I ran the specified "sealert" tag and followed the suggested instructions - but those above don't budge. When I go to the fedora.redhat.com/docs/selinux-fq- fc5 site to take on making a local policy module I am quickly getting lost . The option to simply disable SElinux with respect to Apache, Dovecote or anything else is suggested - but not something I see in the GUI window, and I have not figured out how to do it from the command line.
Again, because these are default packages, I hope that someone else knows how to resolve these.
With respect to the to reports from SELinux regarding Dovecot and promail, here is a bit more info:
The info and Raw Audit message for dovecot_t is: Source Context system_u:system_r:dovecot_t:s0 Target Context system_u:system_r:dovecot_t:s0 Target Objects None [ socket ] Source dovecot Source Path /usr/sbin/dovecot Port <Unknown> Host trailrunner Source RPM Packages dovecot-1.0.7-7.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name trailrunner Platform Linux trailrunner 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 10:38:05 EDT 2009 i686 athlon Alert Count 2 First Seen Wed Apr 29 15:39:51 2009 Last Seen Wed Apr 29 15:47:31 2009 Local ID e1b070ab-586a-4c5a-befe-b6a46b9ab992 Line Numbers
Raw Audit Messages host=trailrunner type=AVC msg=audit(1241041651.976:33): avc: denied { create } for pid=3884 comm="dovecot" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=socket host=trailrunner type=SYSCALL msg=audit(1241041651.976:33): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070 a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot" subj=system_u:system_r:dovecot_t:s0 key=(null)
The Raw Audit Message for Procmail is: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:spamc_exec_t:s0 Target Objects ./spamc [ file ] Source procmail Source Path /usr/bin/procmail Port <Unknown> Host trailrunner Source RPM Packages procmail-3.22-17.1.el5.centos Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name trailrunner Platform Linux trailrunner 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 10:38:05 EDT 2009 i686 athlon Alert Count 29 First Seen Wed Apr 29 15:40:40 2009 Last Seen Wed Apr 29 16:25:40 2009 Local ID 0a554689-4948-4edf-9964-dddbfe6a2492 Line Numbers
Raw Audit Messages host=trailrunner type=AVC msg=audit(1241043940.918:166): avc: denied { execute } for pid=3344 comm="procmail" name="spamc" dev=dm-0 ino=18762675 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file host=trailrunner type=SYSCALL msg=audit(1241043940.918:166): arch=40000003 syscall=11 success=no exit=-13 a0=8ef1d90 a1=8ef1020 a2=8ef32d8 a3=1 items=0 ppid=3343 pid=3344 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
Hi
Dovecot is trying to open a socket, and procmail is trying to execute spamc, You should be able to fix these issues using audit2allow.
Andrew.
On 30 Apr 2009, at 4:07 PM, Dan Roberts wrote:
Following a hard drive corruption I have reinstalled the latest version of CentOS and all current patch files.
For most applications I selected the default options. By doing this I expected that the packages would play nice with one another and I could customize as necessary.
Setting SELinux to enforce I encountered all sorts of problems - but most were resolvable, save for Dovecot, Procmail (for spamc), and an odd one with Apache.
Given that these were all installed with the CentOS install defaults, I can't believe I am the only one with these issues but finding a solution has not been self evident. Hoping someone here can help.
For Dovecot I get the following: SELinux is preventing dovecot (dovecot_t) "create" to <Unknown> (dovecot_t). For complete SELinux messages. run sealert -l e1b070ab-586a-4c5a-befe-b6a46b9ab992
For procmail I get the following: SELinux is preventing procmail (procmail_t) "execute" to ./spamc (spamc_exec_t). For complete SELinux messages. run sealert -l 0a554689-4948-4edf-9964-dddbfe6a2492 SELinux is preventing sh (procmail_t) "read" to ./spamc (spamc_exec_t). For complete SELinux messages. run sealert -l 1f1ebd83-412d-4e93-a36f-6f3d34c663df
For Apache it's even more strange - When started I get: Syntax error on line 283 of /etc/httpd/conf/httpd.conf DocumentRoot must be directory
But it is a directory, has the correct permissions and I have even run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to correct the problem. I run a virtual server too, and in trying to find a fix for this that may be a problem - but first things first.
All the other issues I had I could resolve when I ran the specified "sealert" tag and followed the suggested instructions - but those above don't budge. When I go to the fedora.redhat.com/docs/selinux- fq-fc5 site to take on making a local policy module I am quickly getting lost . The option to simply disable SElinux with respect to Apache, Dovecote or anything else is suggested - but not something I see in the GUI window, and I have not figured out how to do it from the command line.
Again, because these are default packages, I hope that someone else knows how to resolve these.
With respect to the to reports from SELinux regarding Dovecot and promail, here is a bit more info:
The info and Raw Audit message for dovecot_t is: Source Context system_u:system_r:dovecot_t:s0 Target Context system_u:system_r:dovecot_t:s0 Target Objects None [ socket ] Source dovecot Source Path /usr/sbin/dovecot Port <Unknown> Host trailrunner Source RPM Packages dovecot-1.0.7-7.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name trailrunner Platform Linux trailrunner 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 10:38:05 EDT 2009 i686 athlon Alert Count 2 First Seen Wed Apr 29 15:39:51 2009 Last Seen Wed Apr 29 15:47:31 2009 Local ID e1b070ab-586a-4c5a-befe-b6a46b9ab992 Line Numbers
Raw Audit Messages host=trailrunner type=AVC msg=audit(1241041651.976:33): avc: denied { create } for pid=3884 comm="dovecot" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=socket host=trailrunner type=SYSCALL msg=audit(1241041651.976:33): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070 a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot" subj=system_u:system_r:dovecot_t:s0 key=(null)
The Raw Audit Message for Procmail is: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:spamc_exec_t:s0 Target Objects ./spamc [ file ] Source procmail Source Path /usr/bin/procmail Port <Unknown> Host trailrunner Source RPM Packages procmail-3.22-17.1.el5.centos Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name trailrunner Platform Linux trailrunner 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 10:38:05 EDT 2009 i686 athlon Alert Count 29 First Seen Wed Apr 29 15:40:40 2009 Last Seen Wed Apr 29 16:25:40 2009 Local ID 0a554689-4948-4edf-9964-dddbfe6a2492 Line Numbers
Raw Audit Messages host=trailrunner type=AVC msg=audit(1241043940.918:166): avc: denied { execute } for pid=3344 comm="procmail" name="spamc" dev=dm-0 ino=18762675 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file host=trailrunner type=SYSCALL msg=audit(1241043940.918:166): arch=40000003 syscall=11 success=no exit=-13 a0=8ef1d90 a1=8ef1020 a2=8ef32d8 a3=1 items=0 ppid=3343 pid=3344 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Ok, but how?
There appear to be a lot of different options when employing audit2allow and I am reluctant to start blazing away trying different elements. I am missing the details of what socket an dhow the execution is occuring so that I can begin to develop the proper audit2allow sequence.
On Apr 30, 2009, at 8:43 AM, Andrew Colin Kissa wrote:
Hi
Dovecot is trying to open a socket, and procmail is trying to execute spamc, You should be able to fix these issues using audit2allow.
Andrew.
On 30 Apr 2009, at 4:07 PM, Dan Roberts wrote:
Following a hard drive corruption I have reinstalled the latest version of CentOS and all current patch files.
For most applications I selected the default options. By doing this I expected that the packages would play nice with one another and I could customize as necessary.
Setting SELinux to enforce I encountered all sorts of problems - but most were resolvable, save for Dovecot, Procmail (for spamc), and an odd one with Apache.
Given that these were all installed with the CentOS install defaults, I can't believe I am the only one with these issues but finding a solution has not been self evident. Hoping someone here can help.
For Dovecot I get the following: SELinux is preventing dovecot (dovecot_t) "create" to <Unknown> (dovecot_t). For complete SELinux messages. run sealert -l e1b070ab-586a-4c5a-befe-b6a46b9ab992
For procmail I get the following: SELinux is preventing procmail (procmail_t) "execute" to ./spamc (spamc_exec_t). For complete SELinux messages. run sealert -l 0a554689-4948-4edf-9964-dddbfe6a2492 SELinux is preventing sh (procmail_t) "read" to ./spamc (spamc_exec_t). For complete SELinux messages. run sealert -l 1f1ebd83-412d-4e93-a36f-6f3d34c663df
For Apache it's even more strange - When started I get: Syntax error on line 283 of /etc/httpd/conf/httpd.conf DocumentRoot must be directory
But it is a directory, has the correct permissions and I have even run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to correct the problem. I run a virtual server too, and in trying to find a fix for this that may be a problem - but first things first.
All the other issues I had I could resolve when I ran the specified "sealert" tag and followed the suggested instructions - but those above don't budge. When I go to the fedora.redhat.com/docs/selinux- fq-fc5 site to take on making a local policy module I am quickly getting lost . The option to simply disable SElinux with respect to Apache, Dovecote or anything else is suggested - but not something I see in the GUI window, and I have not figured out how to do it from the command line.
Again, because these are default packages, I hope that someone else knows how to resolve these.
With respect to the to reports from SELinux regarding Dovecot and promail, here is a bit more info:
The info and Raw Audit message for dovecot_t is: Source Context system_u:system_r:dovecot_t:s0 Target Context system_u:system_r:dovecot_t:s0 Target Objects None [ socket ] Source dovecot Source Path /usr/sbin/dovecot Port <Unknown> Host trailrunner Source RPM Packages dovecot-1.0.7-7.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name trailrunner Platform Linux trailrunner 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 10:38:05 EDT 2009 i686 athlon Alert Count 2 First Seen Wed Apr 29 15:39:51 2009 Last Seen Wed Apr 29 15:47:31 2009 Local ID e1b070ab-586a-4c5a-befe-b6a46b9ab992 Line Numbers
Raw Audit Messages host=trailrunner type=AVC msg=audit(1241041651.976:33): avc: denied { create } for pid=3884 comm="dovecot" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=socket host=trailrunner type=SYSCALL msg=audit(1241041651.976:33): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070 a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot" subj=system_u:system_r:dovecot_t:s0 key=(null)
The Raw Audit Message for Procmail is: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:spamc_exec_t:s0 Target Objects ./spamc [ file ] Source procmail Source Path /usr/bin/procmail Port <Unknown> Host trailrunner Source RPM Packages procmail-3.22-17.1.el5.centos Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name trailrunner Platform Linux trailrunner 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 10:38:05 EDT 2009 i686 athlon Alert Count 29 First Seen Wed Apr 29 15:40:40 2009 Last Seen Wed Apr 29 16:25:40 2009 Local ID 0a554689-4948-4edf-9964-dddbfe6a2492 Line Numbers
Raw Audit Messages host=trailrunner type=AVC msg=audit(1241043940.918:166): avc: denied { execute } for pid=3344 comm="procmail" name="spamc" dev=dm-0 ino=18762675 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file host=trailrunner type=SYSCALL msg=audit(1241043940.918:166): arch=40000003 syscall=11 success=no exit=-13 a0=8ef1d90 a1=8ef1020 a2=8ef32d8 a3=1 items=0 ppid=3343 pid=3344 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
The audit.log should contain more detail than is being provided here, if it is a unix socket you should see the path, i suspect it is the unix socket not the tcp sockets (pop3/imap)
On 30 Apr 2009, at 4:50 PM, Dan Roberts wrote:
Ok, but how?
There appear to be a lot of different options when employing audit2allow and I am reluctant to start blazing away trying different elements. I am missing the details of what socket an dhow the execution is occuring so that I can begin to develop the proper audit2allow sequence.
On Apr 30, 2009, at 8:43 AM, Andrew Colin Kissa wrote:
Hi
Dovecot is trying to open a socket, and procmail is trying to execute spamc, You should be able to fix these issues using audit2allow.
Andrew.
On 30 Apr 2009, at 4:07 PM, Dan Roberts wrote:
Following a hard drive corruption I have reinstalled the latest version of CentOS and all current patch files.
For most applications I selected the default options. By doing this I expected that the packages would play nice with one another and I could customize as necessary.
Setting SELinux to enforce I encountered all sorts of problems - but most were resolvable, save for Dovecot, Procmail (for spamc), and an odd one with Apache.
Given that these were all installed with the CentOS install defaults, I can't believe I am the only one with these issues but finding a solution has not been self evident. Hoping someone here can help.
For Dovecot I get the following: SELinux is preventing dovecot (dovecot_t) "create" to <Unknown> (dovecot_t). For complete SELinux messages. run sealert -l e1b070ab-586a-4c5a-befe-b6a46b9ab992
For procmail I get the following: SELinux is preventing procmail (procmail_t) "execute" to ./spamc (spamc_exec_t). For complete SELinux messages. run sealert -l 0a554689-4948-4edf-9964-dddbfe6a2492 SELinux is preventing sh (procmail_t) "read" to ./spamc (spamc_exec_t). For complete SELinux messages. run sealert -l 1f1ebd83-412d-4e93-a36f-6f3d34c663df
For Apache it's even more strange - When started I get: Syntax error on line 283 of /etc/httpd/conf/httpd.conf DocumentRoot must be directory
But it is a directory, has the correct permissions and I have even run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to correct the problem. I run a virtual server too, and in trying to find a fix for this that may be a problem - but first things first.
All the other issues I had I could resolve when I ran the specified "sealert" tag and followed the suggested instructions - but those above don't budge. When I go to the fedora.redhat.com/ docs/selinux-fq-fc5 site to take on making a local policy module I am quickly getting lost . The option to simply disable SElinux with respect to Apache, Dovecote or anything else is suggested - but not something I see in the GUI window, and I have not figured out how to do it from the command line.
Again, because these are default packages, I hope that someone else knows how to resolve these.
With respect to the to reports from SELinux regarding Dovecot and promail, here is a bit more info:
The info and Raw Audit message for dovecot_t is: Source Context system_u:system_r:dovecot_t:s0 Target Context system_u:system_r:dovecot_t:s0 Target Objects None [ socket ] Source dovecot Source Path /usr/sbin/dovecot Port <Unknown> Host trailrunner Source RPM Packages dovecot-1.0.7-7.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name trailrunner Platform Linux trailrunner 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 10:38:05 EDT 2009 i686 athlon Alert Count 2 First Seen Wed Apr 29 15:39:51 2009 Last Seen Wed Apr 29 15:47:31 2009 Local ID e1b070ab-586a-4c5a-befe-b6a46b9ab992 Line Numbers
Raw Audit Messages host=trailrunner type=AVC msg=audit(1241041651.976:33): avc: denied { create } for pid=3884 comm="dovecot" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=socket host=trailrunner type=SYSCALL msg=audit(1241041651.976:33): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070 a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot" subj=system_u:system_r:dovecot_t:s0 key=(null)
The Raw Audit Message for Procmail is: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:spamc_exec_t:s0 Target Objects ./spamc [ file ] Source procmail Source Path /usr/bin/procmail Port <Unknown> Host trailrunner Source RPM Packages procmail-3.22-17.1.el5.centos Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name trailrunner Platform Linux trailrunner 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 10:38:05 EDT 2009 i686 athlon Alert Count 29 First Seen Wed Apr 29 15:40:40 2009 Last Seen Wed Apr 29 16:25:40 2009 Local ID 0a554689-4948-4edf-9964-dddbfe6a2492 Line Numbers
Raw Audit Messages host=trailrunner type=AVC msg=audit(1241043940.918:166): avc: denied { execute } for pid=3344 comm="procmail" name="spamc" dev=dm-0 ino=18762675 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file host=trailrunner type=SYSCALL msg=audit(1241043940.918:166): arch=40000003 syscall=11 success=no exit=-13 a0=8ef1d90 a1=8ef1020 a2=8ef32d8 a3=1 items=0 ppid=3343 pid=3344 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thanks - this is helpful but still not quite a fix. The suggested fixes seem general for the three issues of dovecot, nmbd, and spamc - but audit2allow does at least create them.
[dan@trailrunner ~]$ cat dovecotsocketselinux.te
module dovecotsocketselinux 1.0;
require { type dovecot_t; class socket create; }
#============= dovecot_t ============== allow dovecot_t self:socket create; [dan@trailrunner ~]$ [dan@trailrunner ~]$ [dan@trailrunner ~]$ cat nmbdselinux.te
module nmbdselinux 1.0;
require { type samba_share_t; type nmbd_t; class file { rename getattr unlink append }; class dir { search setattr }; }
#============= nmbd_t ============== allow nmbd_t samba_share_t:dir { search setattr }; allow nmbd_t samba_share_t:file { rename getattr unlink append }; [dan@trailrunner ~]$ [dan@trailrunner ~]$ [dan@trailrunner ~]$ cat spamcselinux.te
module spamcselinux 1.0;
require { type spamc_exec_t; type procmail_t; class file { read execute execute_no_trans }; }
#============= procmail_t ============== allow procmail_t spamc_exec_t:file { read execute execute_no_trans }; [dan@trailrunner ~]$
The problem is that when these are installed, dovecot fails - port 993 already in use.
So now what - again, default CentOS options and configuration for all three of these.
On Apr 30, 2009, at 1:38 PM, Ned Slider wrote:
Dan Roberts wrote:
Ok, but how?
http://wiki.centos.org/HowTos/SELinux
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Apr 30, 2009 at 9:07 AM, Dan Roberts dan@jlazyh.com wrote:
Following a hard drive corruption I have reinstalled the latest version of CentOS and all current patch files. For most applications I selected the default options. By doing this I expected that the packages would play nice with one another and I could customize as necessary. Setting SELinux to enforce I encountered all sorts of problems - but most were resolvable, save for Dovecot, Procmail (for spamc), and an odd one
<snip>
take on making a local policy module I am quickly getting lost . The option to simply disable SElinux with respect to Apache, Dovecote or anything else is suggested - but not something I see in the GUI window, and I have not figured out how to do it from the command line.
Disabling SELinux is *not* recommended, by those who know, on this mailing list and in other places. Maybe drop it down from "Enforcing" to Permissive, until you get it configured properly.
You might want to go to http://www.nsa.gov/ and download the .pdf version of their manual about hardening RHEL 5. Look for the December 20, 2007 version. On page 42, they begin discussing SELinux and how to configure/troubleshoot it. "Guide to the Secure Configuration of Red Hat Enterprise Linux 5". HTH and GL
I would like not to disable SELinux, and I have the guide from the nsa. But try as I might these three things are being difficult. Given that it was a default install for them I have no idea how or why.
Some google searches and even the SELinux FAQ suggest remedy options that involve data that I just don't seem to have - that's where the expertise of someone who has had to deal with something similar would be very helpful.
On Apr 30, 2009, at 11:44 AM, Lanny Marcus wrote:
On Thu, Apr 30, 2009 at 9:07 AM, Dan Roberts dan@jlazyh.com wrote:
Following a hard drive corruption I have reinstalled the latest version of CentOS and all current patch files. For most applications I selected the default options. By doing this I expected that the packages would play nice with one another and I could customize as necessary. Setting SELinux to enforce I encountered all sorts of problems - but most were resolvable, save for Dovecot, Procmail (for spamc), and an odd one
<snip> > take on making a local policy module I am quickly getting lost . > The > option to simply disable SElinux with respect to Apache, Dovecote or > anything else is suggested - but not something I see in the GUI > window, and > I have not figured out how to do it from the command line.
Disabling SELinux is *not* recommended, by those who know, on this mailing list and in other places. Maybe drop it down from "Enforcing" to Permissive, until you get it configured properly.
You might want to go to http://www.nsa.gov/ and download the .pdf version of their manual about hardening RHEL 5. Look for the December 20, 2007 version. On page 42, they begin discussing SELinux and how to configure/troubleshoot it. "Guide to the Secure Configuration of Red Hat Enterprise Linux 5". HTH and GL _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Andrew Colin Kissa -
Dan Roberts -
Lanny Marcus -
Ned Slider