[CentOS] selinux & httpd & portmap
Toby Bluhm
tkb at midwestinstruments.com
Fri Jul 25 14:36:23 UTC 2008
Ian Blackwell wrote:
> Craig White wrote:
>> Suggest that you make sure you are fully updated, then
>> 'touch /.autorelabel' then reboot (reboot at a time you choose because
>> it may take a long time to relabel every file on your system -
>> especially if you have a lot of files).
>>
>> Craig
>>
> What Craig implies is that your system won't be available for quite a
> long time (relatively), while the relabel takes place. The boot time
> with an autorelabel is very long, and you won't have access to the
> server until the relabel is completed. So choose your time for the
> reboot with that knowledge.
>
> Ian
>
>
No problems there - I'm getting my selinux feet wet on a test box. Not
quite ready to risk torching a production machine.
The relabel did take some time after a reboot - portmap & httpd started
ok. WHile postgrey, clamd, postfix and amavisd all started, none could
access the libs & dirs they needed to process emails.
So I disabled selinux, rebooted, made sure everything worked alright -
which it did. Then enabled permissive mode & rebooted & it relabeled
itself this time.
After running some things, send/receive email, it still wants to deny:
type=AVC msg=audit(1216990772.410:72): avc: denied { read } for
pid=2037 comm="clamd" path="/var/clamav/main.cvd" dev=md0 ino=980355
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1216990777.968:73): avc: denied { read } for
pid=2037 comm="clamd" name="meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1216990777.969:74): avc: denied { getattr } for
pid=2037 comm="clamd" path="/proc/meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1216991822.928:113): avc: denied { signal } for
pid=2762 comm="postfix-script"
scontext=root:system_r:postfix_master_t:s0
tcontext=root:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0
tclass=lnk_filetcontext=root:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.372:123): avc: denied { unlink } for
pid=2116 comm="amavisd" name="p002.exe" dev=md0 ino=1005252
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
SO - is it normal to have to update policies on basic services? Am I
missing an rpm?
--
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240 ext203
More information about the CentOS
mailing list