[CentOS-docs] Mail / Web server guides

Tue Mar 26 09:51:12 UTC 2013
Manuel Wolfshant <wolfy at nobugconsulting.ro>

Please see the replies inline



On 03/26/2013 10:59 AM, Christian Salway wrote:
> Woke up to a couple of problems with SELINUX this morning...
>
> #######################################################
> type=AVC msg=audit(1364240071.657:27): avc:  denied  { name_connect } for
> pid=1851 comm="httpd" dest=143 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
> **** Invalid AVC allowed in current policy ***
>
> type=AVC msg=audit(1364240397.817:30): avc:  denied  { name_connect } for
> pid=1851 comm="httpd" dest=587 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
> **** Invalid AVC allowed in current policy ***
>
> found 1 alerts in /var/log/audit/audit.log
> ----------------------------------------------------------------------------
> ----
>
> SELinux is preventing /usr/libexec/dovecot/lmtp from write access on the
> directory sieve.
>
> *****  Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that lmtp should be allowed write access on the sieve
> directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep lmtp /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> #######################################################
>
> Im not sure whats wrong with the first two Invalid AVC's.  httpd is what I
> want to give access to pop_port_t  (pop_port_t  tcp  106, 109, 110, 143,
> 220, 993, 995, 1109) and smtp_port_t (smtp_port_t  tcp  25, 465, 587)
>
> The http.te looks like this
>
> module httpd 1.0;
>
> require {
>          type postfix_public_t;
>          type postfix_spool_t;
>          type pop_port_t;
>          type smtp_port_t;
>          type user_home_dir_t;
>          type user_home_t;
>          type httpd_t;
>          type postfix_spool_maildrop_t;
>          class process setrlimit;
>          class file { rename setattr read create write getattr open };
>          class dir { search write getattr remove_name add_name };
>          class fifo_file { write getattr open };
>          class tcp_socket name_connect;
> }
>
> #============= httpd_t ==============
> allow httpd_t postfix_public_t:dir search;
> allow httpd_t postfix_public_t:fifo_file { write getattr open }
I am not sure by heart about these ones. if httpd_can_sendmail does not 
solve them,  I would need to see the AVCs


> allow httpd_t postfix_spool_maildrop_t:dir { write remove_name search
> add_name };
> allow httpd_t postfix_spool_maildrop_t:file { rename write getattr setattr
> read create open };
> allow httpd_t postfix_spool_t:dir search;
     setsebool httpd_can_sendmail 1



> allow httpd_t pop_port_t:tcp_socket name_connect;
I am not sure about this one. I need to see the AVC but probably you need
     setsebool httpd_can_network_connect 1


> allow httpd_t smtp_port_t:tcp_socket name_connect;
>
> allow httpd_t self:process setrlimit;
     setsebool httpd_setrlimit  1



> allow httpd_t user_home_dir_t:dir { getattr search };
> allow httpd_t user_home_t:dir { getattr search write add_name };
> allow httpd_t user_home_t:file { create read open };
     setsebool   httpd_enable_homedirs  1


> ######################################################
> the second dovecot issue, when I run
> # grep lmtp /var/log/audit/audit.log | audit2allow -M mypol
>
> I get:
>
> module dovecot 1.0;
> require {
>          type dovecot_etc_t;
>          type dovecot_t;
>          class dir write;
> }
> #============= dovecot_t ==============
> allow dovecot_t dovecot_etc_t:dir write;
>
> but when I try
> # semodule -i mypol.pp
>
> I get
>
> libsepol.print_missing_requirements: dovecot's global requirements were not
> met: type/attribute dovecot_etc_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
> directory).
> semodule:  Failed!
>
> any ideas?

     I suggest to try audit2why in order to understand the problem 
before using audit2allow to create custom policies. In the above case I 
have a strong feeling that you do not need a custom policy but a correct 
selinux label.

     I am glad that you do try to cope with selinux but please let's not 
turn this list in a selinux-support one. If you need help with 
particular items, please ask in #centos or #selinux on freenode ( or in 
the other centos mailing list). Even fedora-selinux is a good source of 
support, as they deal over there with support for both Fedora and RHEL
     I know that the beginning is harsh ( I've been there myself and 
even after 7-8 years of usage I still need and rely on the docs .. not 
to mention the occasional cry for help sent to those who know more) but 
based on the policies that you tried to create I really think that you 
should keep http://wiki.centos.org/TipsAndTricks/SelinuxBooleans and 
http://wiki.centos.org/HowTos/SELinux handy


         manuel