[CentOS-docs] Mail / Web server guides
Christian Salway
ccsalway at itmanx.com
Tue Mar 26 08:59:19 UTC 2013
Woke up to a couple of problems with SELINUX this morning...
#######################################################
type=AVC msg=audit(1364240071.657:27): avc: denied { name_connect } for
pid=1851 comm="httpd" dest=143 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
**** Invalid AVC allowed in current policy ***
type=AVC msg=audit(1364240397.817:30): avc: denied { name_connect } for
pid=1851 comm="httpd" dest=587 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
**** Invalid AVC allowed in current policy ***
found 1 alerts in /var/log/audit/audit.log
----------------------------------------------------------------------------
----
SELinux is preventing /usr/libexec/dovecot/lmtp from write access on the
directory sieve.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that lmtp should be allowed write access on the sieve
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lmtp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
#######################################################
Im not sure whats wrong with the first two Invalid AVC's. httpd is what I
want to give access to pop_port_t (pop_port_t tcp 106, 109, 110, 143,
220, 993, 995, 1109) and smtp_port_t (smtp_port_t tcp 25, 465, 587)
The http.te looks like this
module httpd 1.0;
require {
type postfix_public_t;
type postfix_spool_t;
type pop_port_t;
type smtp_port_t;
type user_home_dir_t;
type user_home_t;
type httpd_t;
type postfix_spool_maildrop_t;
class process setrlimit;
class file { rename setattr read create write getattr open };
class dir { search write getattr remove_name add_name };
class fifo_file { write getattr open };
class tcp_socket name_connect;
}
#============= httpd_t ==============
allow httpd_t postfix_public_t:dir search;
allow httpd_t postfix_public_t:fifo_file { write getattr open };
allow httpd_t postfix_spool_maildrop_t:dir { write remove_name search
add_name };
allow httpd_t postfix_spool_maildrop_t:file { rename write getattr setattr
read create open };
allow httpd_t postfix_spool_t:dir search;
allow httpd_t pop_port_t:tcp_socket name_connect;
allow httpd_t smtp_port_t:tcp_socket name_connect;
allow httpd_t self:process setrlimit;
allow httpd_t user_home_dir_t:dir { getattr search };
allow httpd_t user_home_t:dir { getattr search write add_name };
allow httpd_t user_home_t:file { create read open };
######################################################
the second dovecot issue, when I run
# grep lmtp /var/log/audit/audit.log | audit2allow -M mypol
I get:
module dovecot 1.0;
require {
type dovecot_etc_t;
type dovecot_t;
class dir write;
}
#============= dovecot_t ==============
allow dovecot_t dovecot_etc_t:dir write;
but when I try
# semodule -i mypol.pp
I get
libsepol.print_missing_requirements: dovecot's global requirements were not
met: type/attribute dovecot_etc_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule: Failed!
any ideas?
Kind regards,
Christian Salway
-----Original Message-----
From: centos-docs-bounces at centos.org [mailto:centos-docs-bounces at centos.org]
On Behalf Of Manuel Wolfshant
Sent: 25 March 2013 20:00
To: Mail list for wiki articles
Subject: Re: [CentOS-docs] Mail / Web server guides
On 03/25/2013 09:56 PM, Christian Salway wrote:
> [...]
> The only problem now is when I log into phpmyadmin, I get the
> following and I can't find a solution.
>
> Your PHP MySQL library version 5.1.61 differs from your MySQL server
> version 5.5.30. This may cause unpredictable behavior.
>
> # rpm -qa mysql*
> mysql55-libs-5.5.30-1.ius.el6.x86_64
> mysql55-5.5.30-1.ius.el6.x86_64
> mysqlclient16-5.1.61-1.ius.el6.x86_64
> mysql55-server-5.5.30-1.ius.el6.x86_64
>
You will keep seeing that warning for as long as phpmyadmin is compiled
against the stock mysql libs while the server runs a different mysql
version. Normally it's benign.
_______________________________________________
CentOS-docs mailing list
CentOS-docs at centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
More information about the CentOS-docs
mailing list