Woke up to a couple of problems with SELINUX this morning... ####################################################### type=AVC msg=audit(1364240071.657:27): avc: denied { name_connect } for pid=1851 comm="httpd" dest=143 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket **** Invalid AVC allowed in current policy *** type=AVC msg=audit(1364240397.817:30): avc: denied { name_connect } for pid=1851 comm="httpd" dest=587 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket **** Invalid AVC allowed in current policy *** found 1 alerts in /var/log/audit/audit.log ---------------------------------------------------------------------------- ---- SELinux is preventing /usr/libexec/dovecot/lmtp from write access on the directory sieve. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that lmtp should be allowed write access on the sieve directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep lmtp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ####################################################### Im not sure whats wrong with the first two Invalid AVC's. httpd is what I want to give access to pop_port_t (pop_port_t tcp 106, 109, 110, 143, 220, 993, 995, 1109) and smtp_port_t (smtp_port_t tcp 25, 465, 587) The http.te looks like this module httpd 1.0; require { type postfix_public_t; type postfix_spool_t; type pop_port_t; type smtp_port_t; type user_home_dir_t; type user_home_t; type httpd_t; type postfix_spool_maildrop_t; class process setrlimit; class file { rename setattr read create write getattr open }; class dir { search write getattr remove_name add_name }; class fifo_file { write getattr open }; class tcp_socket name_connect; } #============= httpd_t ============== allow httpd_t postfix_public_t:dir search; allow httpd_t postfix_public_t:fifo_file { write getattr open }; allow httpd_t postfix_spool_maildrop_t:dir { write remove_name search add_name }; allow httpd_t postfix_spool_maildrop_t:file { rename write getattr setattr read create open }; allow httpd_t postfix_spool_t:dir search; allow httpd_t pop_port_t:tcp_socket name_connect; allow httpd_t smtp_port_t:tcp_socket name_connect; allow httpd_t self:process setrlimit; allow httpd_t user_home_dir_t:dir { getattr search }; allow httpd_t user_home_t:dir { getattr search write add_name }; allow httpd_t user_home_t:file { create read open }; ###################################################### the second dovecot issue, when I run # grep lmtp /var/log/audit/audit.log | audit2allow -M mypol I get: module dovecot 1.0; require { type dovecot_etc_t; type dovecot_t; class dir write; } #============= dovecot_t ============== allow dovecot_t dovecot_etc_t:dir write; but when I try # semodule -i mypol.pp I get libsepol.print_missing_requirements: dovecot's global requirements were not met: type/attribute dovecot_etc_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! any ideas? Kind regards, Christian Salway -----Original Message----- From: centos-docs-bounces at centos.org [mailto:centos-docs-bounces at centos.org] On Behalf Of Manuel Wolfshant Sent: 25 March 2013 20:00 To: Mail list for wiki articles Subject: Re: [CentOS-docs] Mail / Web server guides On 03/25/2013 09:56 PM, Christian Salway wrote: > [...] > The only problem now is when I log into phpmyadmin, I get the > following and I can't find a solution. > > Your PHP MySQL library version 5.1.61 differs from your MySQL server > version 5.5.30. This may cause unpredictable behavior. > > # rpm -qa mysql* > mysql55-libs-5.5.30-1.ius.el6.x86_64 > mysql55-5.5.30-1.ius.el6.x86_64 > mysqlclient16-5.1.61-1.ius.el6.x86_64 > mysql55-server-5.5.30-1.ius.el6.x86_64 > You will keep seeing that warning for as long as phpmyadmin is compiled against the stock mysql libs while the server runs a different mysql version. Normally it's benign. _______________________________________________ CentOS-docs mailing list CentOS-docs at centos.org http://lists.centos.org/mailman/listinfo/centos-docs