On Fri, 2008-07-25 at 10:36 -0400, Toby Bluhm wrote: > Ian Blackwell wrote: > > Craig White wrote: > >> Suggest that you make sure you are fully updated, then > >> 'touch /.autorelabel' then reboot (reboot at a time you choose because > >> it may take a long time to relabel every file on your system - > >> especially if you have a lot of files). > >> > >> Craig > >> > > What Craig implies is that your system won't be available for quite a > > long time (relatively), while the relabel takes place. The boot time > > with an autorelabel is very long, and you won't have access to the > > server until the relabel is completed. So choose your time for the > > reboot with that knowledge. > > > > Ian > > > > > > > No problems there - I'm getting my selinux feet wet on a test box. Not > quite ready to risk torching a production machine. > > > > The relabel did take some time after a reboot - portmap & httpd started > ok. WHile postgrey, clamd, postfix and amavisd all started, none could > access the libs & dirs they needed to process emails. > > So I disabled selinux, rebooted, made sure everything worked alright - > which it did. Then enabled permissive mode & rebooted & it relabeled > itself this time. > > After running some things, send/receive email, it still wants to deny: > > > type=AVC msg=audit(1216990772.410:72): avc: denied { read } for > pid=2037 comm="clamd" path="/var/clamav/main.cvd" dev=md0 ino=980355 > scontext=system_u:system_r:clamd_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=file > > type=AVC msg=audit(1216990777.968:73): avc: denied { read } for > pid=2037 comm="clamd" name="meminfo" dev=proc ino=-268435454 > scontext=system_u:system_r:clamd_t:s0 > tcontext=system_u:object_r:proc_t:s0 tclass=file > > type=AVC msg=audit(1216990777.969:74): avc: denied { getattr } for > pid=2037 comm="clamd" path="/proc/meminfo" dev=proc ino=-268435454 > scontext=system_u:system_r:clamd_t:s0 > tcontext=system_u:object_r:proc_t:s0 tclass=file > > type=AVC msg=audit(1216991822.928:113): avc: denied { signal } for > pid=2762 comm="postfix-script" > scontext=root:system_r:postfix_master_t:s0 > tcontext=root:system_r:initrc_t:s0 tclass=process > > type=AVC msg=audit(1216992166.348:121): avc: denied { create } for > pid=2116 comm="amavisd" name="p002.exe" > scontext=system_u:system_r:amavis_t:s0 > tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file > > type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for > pid=2970 comm="arj" > path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj" > dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0 > tcontext=system_u:object_r:amavis_var_lib_t:s0 > tclass=lnk_filetcontext=root:system_r:initrc_t:s0 tclass=process > > type=AVC msg=audit(1216992166.348:121): avc: denied { create } for > pid=2116 comm="amavisd" name="p002.exe" > scontext=system_u:system_r:amavis_t:s0 > tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file > > type=AVC msg=audit(1216992166.372:123): avc: denied { unlink } for > pid=2116 comm="amavisd" name="p002.exe" dev=md0 ino=1005252 > scontext=system_u:system_r:amavis_t:s0 > tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file > > type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for > pid=2970 comm="arj" > path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj" > dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0 > tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=lnk_file > > > > SO - is it normal to have to update policies on basic services? Am I > missing an rpm? ---- those aren't basic services but are packages that are supplied by repositories other than CentOS/upstream and apparently don't have all of their files/folder labeled properly. what do you get from command... sealert -a /var/log/dmesg or sealert -a /var/log/audit/audit.log Craig