[CentOS-docs] Mail / Web server guides
Manuel Wolfshant
wolfy at nobugconsulting.roTue Mar 26 09:51:12 UTC 2013
- Previous message: [CentOS-docs] Mail / Web server guides
- Next message: [CentOS-docs] Mail / Web server guides
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Please see the replies inline
On 03/26/2013 10:59 AM, Christian Salway wrote:
> Woke up to a couple of problems with SELINUX this morning...
>
> #######################################################
> type=AVC msg=audit(1364240071.657:27): avc: denied { name_connect } for
> pid=1851 comm="httpd" dest=143 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
> **** Invalid AVC allowed in current policy ***
>
> type=AVC msg=audit(1364240397.817:30): avc: denied { name_connect } for
> pid=1851 comm="httpd" dest=587 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
> **** Invalid AVC allowed in current policy ***
>
> found 1 alerts in /var/log/audit/audit.log
> ----------------------------------------------------------------------------
> ----
>
> SELinux is preventing /usr/libexec/dovecot/lmtp from write access on the
> directory sieve.
>
> ***** Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that lmtp should be allowed write access on the sieve
> directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep lmtp /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> #######################################################
>
> Im not sure whats wrong with the first two Invalid AVC's. httpd is what I
> want to give access to pop_port_t (pop_port_t tcp 106, 109, 110, 143,
> 220, 993, 995, 1109) and smtp_port_t (smtp_port_t tcp 25, 465, 587)
>
> The http.te looks like this
>
> module httpd 1.0;
>
> require {
> type postfix_public_t;
> type postfix_spool_t;
> type pop_port_t;
> type smtp_port_t;
> type user_home_dir_t;
> type user_home_t;
> type httpd_t;
> type postfix_spool_maildrop_t;
> class process setrlimit;
> class file { rename setattr read create write getattr open };
> class dir { search write getattr remove_name add_name };
> class fifo_file { write getattr open };
> class tcp_socket name_connect;
> }
>
> #============= httpd_t ==============
> allow httpd_t postfix_public_t:dir search;
> allow httpd_t postfix_public_t:fifo_file { write getattr open }
I am not sure by heart about these ones. if httpd_can_sendmail does not
solve them, I would need to see the AVCs
> allow httpd_t postfix_spool_maildrop_t:dir { write remove_name search
> add_name };
> allow httpd_t postfix_spool_maildrop_t:file { rename write getattr setattr
> read create open };
> allow httpd_t postfix_spool_t:dir search;
setsebool httpd_can_sendmail 1
> allow httpd_t pop_port_t:tcp_socket name_connect;
I am not sure about this one. I need to see the AVC but probably you need
setsebool httpd_can_network_connect 1
> allow httpd_t smtp_port_t:tcp_socket name_connect;
>
> allow httpd_t self:process setrlimit;
setsebool httpd_setrlimit 1
> allow httpd_t user_home_dir_t:dir { getattr search };
> allow httpd_t user_home_t:dir { getattr search write add_name };
> allow httpd_t user_home_t:file { create read open };
setsebool httpd_enable_homedirs 1
> ######################################################
> the second dovecot issue, when I run
> # grep lmtp /var/log/audit/audit.log | audit2allow -M mypol
>
> I get:
>
> module dovecot 1.0;
> require {
> type dovecot_etc_t;
> type dovecot_t;
> class dir write;
> }
> #============= dovecot_t ==============
> allow dovecot_t dovecot_etc_t:dir write;
>
> but when I try
> # semodule -i mypol.pp
>
> I get
>
> libsepol.print_missing_requirements: dovecot's global requirements were not
> met: type/attribute dovecot_etc_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
> directory).
> semodule: Failed!
>
> any ideas?
I suggest to try audit2why in order to understand the problem
before using audit2allow to create custom policies. In the above case I
have a strong feeling that you do not need a custom policy but a correct
selinux label.
I am glad that you do try to cope with selinux but please let's not
turn this list in a selinux-support one. If you need help with
particular items, please ask in #centos or #selinux on freenode ( or in
the other centos mailing list). Even fedora-selinux is a good source of
support, as they deal over there with support for both Fedora and RHEL
I know that the beginning is harsh ( I've been there myself and
even after 7-8 years of usage I still need and rely on the docs .. not
to mention the occasional cry for help sent to those who know more) but
based on the policies that you tried to create I really think that you
should keep http://wiki.centos.org/TipsAndTricks/SelinuxBooleans and
http://wiki.centos.org/HowTos/SELinux handy
manuel
- Previous message: [CentOS-docs] Mail / Web server guides
- Next message: [CentOS-docs] Mail / Web server guides
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS-docs mailing list