[CentOS-docs] Mail / Web server guides

Tue Mar 26 08:59:19 UTC 2013
Christian Salway <ccsalway at itmanx.com>

Woke up to a couple of problems with SELINUX this morning...

#######################################################
type=AVC msg=audit(1364240071.657:27): avc:  denied  { name_connect } for
pid=1851 comm="httpd" dest=143 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
**** Invalid AVC allowed in current policy ***

type=AVC msg=audit(1364240397.817:30): avc:  denied  { name_connect } for
pid=1851 comm="httpd" dest=587 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
**** Invalid AVC allowed in current policy ***

found 1 alerts in /var/log/audit/audit.log
----------------------------------------------------------------------------
----

SELinux is preventing /usr/libexec/dovecot/lmtp from write access on the
directory sieve.

*****  Plugin catchall (100. confidence) suggests
***************************

If you believe that lmtp should be allowed write access on the sieve
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lmtp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

#######################################################

Im not sure whats wrong with the first two Invalid AVC's.  httpd is what I
want to give access to pop_port_t  (pop_port_t  tcp  106, 109, 110, 143,
220, 993, 995, 1109) and smtp_port_t (smtp_port_t  tcp  25, 465, 587)

The http.te looks like this

module httpd 1.0;

require {
        type postfix_public_t;
        type postfix_spool_t;
        type pop_port_t;
        type smtp_port_t;
        type user_home_dir_t;
        type user_home_t;
        type httpd_t;
        type postfix_spool_maildrop_t;
        class process setrlimit;
        class file { rename setattr read create write getattr open };
        class dir { search write getattr remove_name add_name };
        class fifo_file { write getattr open };
        class tcp_socket name_connect;
}

#============= httpd_t ==============
allow httpd_t postfix_public_t:dir search;
allow httpd_t postfix_public_t:fifo_file { write getattr open };
allow httpd_t postfix_spool_maildrop_t:dir { write remove_name search
add_name };
allow httpd_t postfix_spool_maildrop_t:file { rename write getattr setattr
read create open };
allow httpd_t postfix_spool_t:dir search;

allow httpd_t pop_port_t:tcp_socket name_connect;
allow httpd_t smtp_port_t:tcp_socket name_connect;

allow httpd_t self:process setrlimit;

allow httpd_t user_home_dir_t:dir { getattr search };

allow httpd_t user_home_t:dir { getattr search write add_name };
allow httpd_t user_home_t:file { create read open };


######################################################
the second dovecot issue, when I run
# grep lmtp /var/log/audit/audit.log | audit2allow -M mypol

I get:

module dovecot 1.0;
require {
        type dovecot_etc_t;
        type dovecot_t;
        class dir write;
}
#============= dovecot_t ==============
allow dovecot_t dovecot_etc_t:dir write;

but when I try 
# semodule -i mypol.pp

I get 

libsepol.print_missing_requirements: dovecot's global requirements were not
met: type/attribute dovecot_etc_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule:  Failed!

any ideas?

Kind regards,
Christian Salway

-----Original Message-----
From: centos-docs-bounces at centos.org [mailto:centos-docs-bounces at centos.org]
On Behalf Of Manuel Wolfshant
Sent: 25 March 2013 20:00
To: Mail list for wiki articles
Subject: Re: [CentOS-docs] Mail / Web server guides

On 03/25/2013 09:56 PM, Christian Salway wrote:
> [...]
> The only problem now is when I log into phpmyadmin, I get the 
> following and I can't find a solution.
>
> Your PHP MySQL library version 5.1.61 differs from your MySQL server 
> version 5.5.30. This may cause unpredictable behavior.
>
> # rpm -qa mysql*
> mysql55-libs-5.5.30-1.ius.el6.x86_64
> mysql55-5.5.30-1.ius.el6.x86_64
> mysqlclient16-5.1.61-1.ius.el6.x86_64
> mysql55-server-5.5.30-1.ius.el6.x86_64
>
You will keep seeing that warning for as long as phpmyadmin is compiled
against the stock mysql libs while the server runs a different mysql
version. Normally it's benign.
_______________________________________________
CentOS-docs mailing list
CentOS-docs at centos.org
http://lists.centos.org/mailman/listinfo/centos-docs