[CentOS-docs] SELinux

Manuel Wolfshant wolfy at nobugconsulting.ro
Tue Aug 12 18:37:24 UTC 2008

On 08/12/2008 07:12 PM, Ned Slider wrote:
> Manuel Wolfshant wrote:
>> Ned Slider wrote:
>>> Hi list,
>>> I've knocked up a contribution on SELinux here:
>>> http://wiki.centos.org/HowTos/SELinux
>>> I've tried to pitch it as an introduction for those not already 
>>> familiar with SELinux but also hopefully a useful reference.
>>> I'm relatively new to SELinux and have covered pretty much 
>>> everything I know to the limits of my limited knowledge. If folks 
>>> think other material needs to be covered then it may be more 
>>> appropriate for them to make the additions rather than me. Consider 
>>> it a "get the ball rolling" contribution that the community can add 
>>> to as necessary :)
>>> Comments welcomed,
>> I would add the following just before "Sumamry" (in case one wants to 
>> edit the rules suggested by audit2allow):
>>    Building module policy manually
>> - grep sendmail /var/log/audit/audit.log | audit2allow -M postfix
>> - while reviewing the generated postfix.te
>>    module local 1.0;
>>    require {
>>            type httpd_log_t;
>>            type postfix_postdrop_t;
>>            class dir getattr;
>>            class file { read getattr };
>>    }
>>    #============= postfix_postdrop_t ==============
>>    allow postfix_postdrop_t httpd_log_t:file getattr;
> Wolfy,
> Are you able to supply an example of the audit.log AVC message(s) that 
> are used to create this .te policy? It might be useful to show the 
> actual AVC error messages in explaining this process.
> Thanks,
here you are. I hope I have not trashed anything valuable but most of 
the info must be here

PS, for those who might be tempted to comment about the kernel version: 
I already know what you want to say.
-------------- next part --------------


SELinux is preventing postdrop (postfix_postdrop_t) "getattr" to
/var/log/httpd/error_log (httpd_log_t).

Detailed Description:

SELinux denied access requested by postdrop. It is not expected that this access
is required by postdrop and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/log/httpd/error_log,

restorecon -v '/var/log/httpd/error_log'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:postfix_postdrop_t
Target Context                root:object_r:httpd_log_t
Target Objects                /var/log/httpd/error_log [ file ]
Source                        postdrop
Source Path                   /usr/sbin/postdrop
Port                          <Unknown>
Host                          sanitized
Source RPM Packages           postfix-2.3.3-2
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-137.1.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     sanitized
Platform                      Linux sanitized 2.6.18-53.1.21.el5 #1 SMP Tue
                              May 20 09:35:07 EDT 2008 x86_64 x86_64
Alert Count                   599
First Seen                    Wed Jul  2 08:27:15 2008
Last Seen                     Sun Aug 10 22:47:52 2008
Local ID                      c303a4ea-8e7a-4acc-9118-9cc61c6a2ec8
Line Numbers                  

Raw Audit Messages            

host=sanitized type=AVC msg=audit(1218397672.372:352): avc:  denied  { getattr } for  pid=4262 comm="postdrop" path="/var/log/httpd/error_log" dev=md2 ino=117005 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=root:object_r:httpd_log_t:s0 tclass=file

host=sanitized type=SYSCALL msg=audit(1218397672.372:352): arch=c000003e syscall=5 success=no exit=-13 a0=2 a1=7fffd6febca0 a2=7fffd6febca0 a3=0 items=0 ppid=4261 pid=4262 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)

More information about the CentOS-docs mailing list