[CentOS] selinux & httpd & portmap

Fri Jul 25 21:12:46 UTC 2008
Craig White <craigwhite at azapple.com>

On Fri, 2008-07-25 at 10:36 -0400, Toby Bluhm wrote:
> Ian Blackwell wrote:
> > Craig White wrote:
> >> Suggest that you make sure you are fully updated, then
> >> 'touch /.autorelabel' then reboot (reboot at a time you choose because
> >> it may take a long time to relabel every file on your system -
> >> especially if you have a lot of files).
> >>
> >> Craig
> >>   
> > What Craig implies is that your system won't be available for quite a 
> > long time (relatively), while the relabel takes place.  The boot time 
> > with an autorelabel is very long, and you won't have access to the 
> > server until the relabel is completed.  So choose your time for the 
> > reboot with that knowledge.
> > 
> > Ian
> > 
> > 
> 
> 
> No problems there - I'm getting my selinux feet wet on a test box. Not 
> quite ready to risk torching a production machine.
> 
> 
> 
> The relabel did take some time after a reboot - portmap & httpd started 
> ok. WHile postgrey, clamd, postfix and amavisd all started, none could 
> access the libs & dirs they needed to process emails.
> 
> So I disabled selinux, rebooted, made sure everything worked alright - 
> which it did. Then enabled permissive mode & rebooted & it relabeled 
> itself this time.
> 
> After running some things, send/receive email, it still wants to deny:
> 
> 
> type=AVC msg=audit(1216990772.410:72): avc:  denied  { read } for 
> pid=2037 comm="clamd" path="/var/clamav/main.cvd" dev=md0 ino=980355 
> scontext=system_u:system_r:clamd_t:s0 
> tcontext=system_u:object_r:var_t:s0 tclass=file
> 
> type=AVC msg=audit(1216990777.968:73): avc:  denied  { read } for 
> pid=2037 comm="clamd" name="meminfo" dev=proc ino=-268435454 
> scontext=system_u:system_r:clamd_t:s0 
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> 
> type=AVC msg=audit(1216990777.969:74): avc:  denied  { getattr } for 
> pid=2037 comm="clamd" path="/proc/meminfo" dev=proc ino=-268435454 
> scontext=system_u:system_r:clamd_t:s0 
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> 
> type=AVC msg=audit(1216991822.928:113): avc:  denied  { signal } for 
> pid=2762 comm="postfix-script" 
> scontext=root:system_r:postfix_master_t:s0 
> tcontext=root:system_r:initrc_t:s0 tclass=process
> 
> type=AVC msg=audit(1216992166.348:121): avc:  denied  { create } for 
> pid=2116 comm="amavisd" name="p002.exe" 
> scontext=system_u:system_r:amavis_t:s0 
> tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
> 
> type=AVC msg=audit(1216992166.403:124): avc:  denied  { getattr } for 
> pid=2970 comm="arj" 
> path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj" 
> dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0 
> tcontext=system_u:object_r:amavis_var_lib_t:s0 
> tclass=lnk_filetcontext=root:system_r:initrc_t:s0 tclass=process
> 
> type=AVC msg=audit(1216992166.348:121): avc:  denied  { create } for 
> pid=2116 comm="amavisd" name="p002.exe" 
> scontext=system_u:system_r:amavis_t:s0 
> tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
> 
> type=AVC msg=audit(1216992166.372:123): avc:  denied  { unlink } for 
> pid=2116 comm="amavisd" name="p002.exe" dev=md0 ino=1005252 
> scontext=system_u:system_r:amavis_t:s0 
> tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
> 
> type=AVC msg=audit(1216992166.403:124): avc:  denied  { getattr } for 
> pid=2970 comm="arj" 
> path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj" 
> dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0 
> tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file
> 
> 
> 
> SO - is it normal to have to update policies on basic services? Am I 
> missing an rpm?
----
those aren't basic services but are packages that are supplied by
repositories other than CentOS/upstream and apparently don't have all of
their files/folder labeled properly.

what do you get from command...

sealert -a /var/log/dmesg
or
sealert -a /var/log/audit/audit.log

Craig