[CentOS] Defaults of CentOS Install not working with SELinux

Thu Apr 30 15:11:09 UTC 2009
Andrew Colin Kissa <andrew at topdog.za.net>

The audit.log should contain more detail than is being provided here,  
if it is a unix socket you should see the path, i suspect it is the  
unix socket not the tcp sockets (pop3/imap)


On 30 Apr 2009, at 4:50 PM, Dan Roberts wrote:

> Ok, but how?
>
> There appear to be a lot of different options when employing  
> audit2allow and I am reluctant to start blazing away trying  
> different elements.  I am missing the details of what socket an dhow  
> the execution is occuring so that I can begin to develop the proper  
> audit2allow sequence.
>
>
>
>
> On Apr 30, 2009, at 8:43 AM, Andrew Colin Kissa wrote:
>
>> Hi
>>
>> Dovecot is trying to open a socket, and procmail is trying to  
>> execute spamc, You should be able to fix these issues using  
>> audit2allow.
>>
>> Andrew.
>>
>> On 30 Apr 2009, at 4:07 PM, Dan Roberts wrote:
>>
>>> Following a hard drive corruption I have reinstalled the latest  
>>> version of CentOS and all current patch files.
>>>
>>> For most applications I selected the default options.  By doing  
>>> this I expected that the packages would play nice with one another  
>>> and I could customize as necessary.
>>>
>>> Setting SELinux to enforce I encountered all sorts of problems -  
>>> but most were resolvable, save for Dovecot, Procmail (for spamc),  
>>> and an odd one with Apache.
>>>
>>> Given that these were all installed with the CentOS install  
>>> defaults, I can't believe I am the only one with these issues but  
>>> finding a solution has not been self evident.  Hoping someone here  
>>> can help.
>>>
>>> For Dovecot I get the following:
>>> 	SELinux is preventing dovecot (dovecot_t) "create" to <Unknown>  
>>> (dovecot_t). For complete SELinux messages. run sealert -l  
>>> e1b070ab-586a-4c5a-befe-b6a46b9ab992
>>>
>>> For procmail I get the following:
>>> 	SELinux is preventing procmail (procmail_t) "execute" to ./spamc  
>>> (spamc_exec_t). For complete SELinux messages. run sealert -l  
>>> 0a554689-4948-4edf-9964-dddbfe6a2492
>>> 	SELinux is preventing sh (procmail_t) "read" to ./spamc  
>>> (spamc_exec_t). For complete SELinux messages. run sealert -l  
>>> 1f1ebd83-412d-4e93-a36f-6f3d34c663df
>>>
>>> For Apache it's even more strange - When started I get:
>>> 	Syntax error on line 283 of /etc/httpd/conf/httpd.conf
>>> 	DocumentRoot must be  directory
>>>
>>> But it is a directory, has the correct permissions and I have even  
>>> run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to  
>>> correct the problem.  I run a virtual server too, and in trying to  
>>> find a fix for this that may be a problem - but first things first.
>>>
>>> All the other issues I had I could resolve when I ran the  
>>> specified "sealert" tag and followed the suggested instructions -  
>>> but those above don't budge.  When I go to the fedora.redhat.com/ 
>>> docs/selinux-fq-fc5 site to take on making a local policy module I  
>>> am quickly getting lost .   The option to simply disable SElinux  
>>> with respect to Apache, Dovecote or anything else is suggested -  
>>> but not something I see in the GUI window, and I have not figured  
>>> out how to do it from the command line.
>>>
>>> Again, because these are default packages, I hope that someone  
>>> else knows how to resolve these.
>>>
>>> With respect to the to reports from SELinux regarding Dovecot and  
>>> promail, here is a bit more info:
>>>
>>> The info and Raw Audit message for dovecot_t is:
>>> 	Source Context                system_u:system_r:dovecot_t:s0
>>> 	Target Context                system_u:system_r:dovecot_t:s0
>>> 	Target Objects                None [ socket ]
>>> 	Source                        dovecot
>>> 	Source Path                   /usr/sbin/dovecot
>>> 	Port                          <Unknown>
>>> 	Host                          trailrunner
>>> 	Source RPM Packages           dovecot-1.0.7-7.el5
>>> 	Target RPM Packages
>>> 	Policy RPM                    selinux-policy-2.4.6-203.el5
>>> 	Selinux Enabled               True
>>> 	Policy Type                   targeted
>>> 	MLS Enabled                   True
>>> 	Enforcing Mode                Enforcing
>>> 	Plugin Name                   catchall
>>> 	Host Name                     trailrunner
>>> 	Platform                      Linux trailrunner  
>>> 2.6.18-128.1.6.el5xen #1 SMP Wed
>>> 	                              Apr 1 10:38:05 EDT 2009 i686 athlon
>>> 	Alert Count                   2
>>> 	First Seen                    Wed Apr 29 15:39:51 2009
>>> 	Last Seen                     Wed Apr 29 15:47:31 2009
>>> 	Local ID                      e1b070ab-586a-4c5a-befe-b6a46b9ab992
>>> 	Line Numbers
>>>
>>> 	Raw Audit Messages
>>> 	host=trailrunner type=AVC msg=audit(1241041651.976:33): avc:   
>>> denied  { create } for  pid=3884 comm="dovecot"  
>>> scontext=system_u:system_r:dovecot_t:s0  
>>> tcontext=system_u:system_r:dovecot_t:s0 tclass=socket
>>> 	host=trailrunner type=SYSCALL msg=audit(1241041651.976:33):  
>>> arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070  
>>> a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0  
>>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)  
>>> ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot"  
>>> subj=system_u:system_r:dovecot_t:s0 key=(null)
>>>
>>> The Raw Audit Message for Procmail is:
>>> 	Source Context                system_u:system_r:procmail_t:s0
>>> 	Target Context                system_u:object_r:spamc_exec_t:s0
>>> 	Target Objects                ./spamc [ file ]
>>> 	Source                        procmail
>>> 	Source Path                   /usr/bin/procmail
>>> 	Port                          <Unknown>
>>> 	Host                          trailrunner
>>> 	Source RPM Packages           procmail-3.22-17.1.el5.centos
>>> 	Target RPM Packages
>>> 	Policy RPM                    selinux-policy-2.4.6-203.el5
>>> 	Selinux Enabled               True
>>> 	Policy Type                   targeted
>>> 	MLS Enabled                   True
>>> 	Enforcing Mode                Enforcing
>>> 	Plugin Name                   catchall_file
>>> 	Host Name                     trailrunner
>>> 	Platform                      Linux trailrunner  
>>> 2.6.18-128.1.6.el5xen #1 SMP Wed
>>> 		                      Apr 1 10:38:05 EDT 2009 i686 athlon
>>> 	Alert Count                   29
>>> 	First Seen                    Wed Apr 29 15:40:40 2009
>>> 	Last Seen                     Wed Apr 29 16:25:40 2009
>>> 	Local ID                      0a554689-4948-4edf-9964-dddbfe6a2492
>>> 	Line Numbers
>>>
>>> 	Raw Audit Messages
>>> 	host=trailrunner type=AVC msg=audit(1241043940.918:166): avc:   
>>> denied  { execute } for  pid=3344 comm="procmail" name="spamc"  
>>> dev=dm-0 ino=18762675 scontext=system_u:system_r:procmail_t:s0  
>>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>>> 	host=trailrunner type=SYSCALL msg=audit(1241043940.918:166):  
>>> arch=40000003 syscall=11 success=no exit=-13 a0=8ef1d90 a1=8ef1020  
>>> a2=8ef32d8 a3=1 items=0 ppid=3343 pid=3344 auid=4294967295 uid=0  
>>> gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)  
>>> ses=4294967295 comm="procmail" exe="/usr/bin/procmail"  
>>> subj=system_u:system_r:procmail_t:s0 key=(null)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20090430/d99adbd0/attachment-0005.html>