[CentOS] SELinux is preventing /usr/libexec/postfix/pickup from module_request

Mon Apr 30 17:15:51 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2012 10:53 PM, David McGuffey wrote:
> Getting module_request errors from SELinux. Errors being thrown by 
> metacity sendmail.postfix cleanup trivial-rewarite local postdrop pickup
> 
> All errors are essentially the same
> 
> System was working well until I began to apply some basic security 
> hardening configuration.
> 
> Postfix started complaining when I made /tmp noexec, nodev, nosuid, and 
> then did a mount --bind of /var/tmp under /tmp.
> 
> Backed that out the remount of /var/tmp and those errors went away. But 
> then these errors started showing up.
> 
> Here is an example of a postfix pickup error.  What is going on? I could 
> allow the module to load, but I want to understand what is going on and the
> dangers of making the mod before I do it.
> 
> 
> 
> SELinux is preventing /usr/libexec/postfix/pickup from module_request 
> access on the system Unknown.
> 
> *****  Plugin catchall_boolean (89.3 confidence) suggests 
> *******************
> 
> If you want to allow all domains to have the kernel load modules Then you
> must tell SELinux about this by enabling the 'domain_kernel_load_modules'
> boolean. Do setsebool -P domain_kernel_load_modules 1
> 
> *****  Plugin catchall (11.6 confidence) suggests 
> ***************************
> 
> If you believe that pickup should be allowed module_request access on the
> Unknown system by default. Then you should report this as a bug. You can
> generate a local policy module to allow this access. Do allow this access
> for now by executing: # grep pickup /var/log/audit/audit.log | audit2allow
> -M mypol # semodule -i mypol.pp
> 
> Additional Information: Source Context
> system_u:system_r:postfix_pickup_t:s0 Target Context
> system_u:system_r:kernel_t:s0 Target Objects                Unknown [
> system ] Source                        pickup Source Path
> /usr/libexec/postfix/pickup Port                          <Unknown> Host
> desk.localdomain Source RPM Packages           postfix-2.6.6-2.2.el6_1 
> Target RPM Packages Policy RPM
> selinux-policy-3.7.19-126.el6_2.10 Selinux Enabled               True 
> Policy Type                   targeted Enforcing Mode
> Enforcing Host Name                     desk.localdomain Platform
> Linux desk.localdomain 2.6.32-220.13.1.el6.x86_64 #1 SMP Tue Apr 17
> 23:56:34 BST 2012 x86_64 x86_64 Alert Count                   24 First Seen
> Fri 27 Apr 2012 02:46:55 PM MDT Last Seen                     Sun 29 Apr
> 2012 05:10:32 AM MDT Local ID
> 4b8e5292-93f1-4e69-8bb4-4ea70bc5232e
> 
> Raw Audit Messages type=AVC msg=audit(1335697832.612:34911): avc:  denied {
> module_request } for  pid=24226 comm="pickup" kmod="net-pf-10" 
> scontext=system_u:system_r:postfix_pickup_t:s0 
> tcontext=system_u:system_r:kernel_t:s0 tclass=system
> 
> 
> type=SYSCALL msg=audit(1335697832.612:34911): arch=x86_64 syscall=socket 
> success=no exit=EAFNOSUPPORT a0=a a1=1 a2=0 a3=7fff3ca82190 items=0 
> ppid=1925 pid=24226 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pickup 
> exe=/usr/libexec/postfix/pickup subj=system_u:system_r:postfix_pickup_t:s0
> key=(null)
> 
> Hash: pickup,postfix_pickup_t,kernel_t,system,module_request
> 
> audit2allow
> 
> #============= postfix_pickup_t ============== #!!!! This avc can be
> allowed using the boolean 'domain_kernel_load_modules'
> 
> allow postfix_pickup_t kernel_t:system module_request;
> 
> audit2allow -R
> 
> #============= postfix_pickup_t ============== #!!!! This avc can be
> allowed using the boolean 'domain_kernel_load_modules'
> 
> allow postfix_pickup_t kernel_t:system module_request;
> 
> 
> _______________________________________________ CentOS mailing list 
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos


These are caused because you disabled IPV6.

http://danwalsh.livejournal.com/47118.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+eyMcACgkQrlYvE4MpobP3dACggHFgCjuCy4L47E9uEVfzKDFb
bicAnjpYnYRhyEsskloHBPw6jhQ2SbYy
=udKB
-----END PGP SIGNATURE-----