-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/29/2012 10:53 PM, David McGuffey wrote: > Getting module_request errors from SELinux. Errors being thrown by > metacity sendmail.postfix cleanup trivial-rewarite local postdrop pickup > > All errors are essentially the same > > System was working well until I began to apply some basic security > hardening configuration. > > Postfix started complaining when I made /tmp noexec, nodev, nosuid, and > then did a mount --bind of /var/tmp under /tmp. > > Backed that out the remount of /var/tmp and those errors went away. But > then these errors started showing up. > > Here is an example of a postfix pickup error. What is going on? I could > allow the module to load, but I want to understand what is going on and the > dangers of making the mod before I do it. > > > > SELinux is preventing /usr/libexec/postfix/pickup from module_request > access on the system Unknown. > > ***** Plugin catchall_boolean (89.3 confidence) suggests > ******************* > > If you want to allow all domains to have the kernel load modules Then you > must tell SELinux about this by enabling the 'domain_kernel_load_modules' > boolean. Do setsebool -P domain_kernel_load_modules 1 > > ***** Plugin catchall (11.6 confidence) suggests > *************************** > > If you believe that pickup should be allowed module_request access on the > Unknown system by default. Then you should report this as a bug. You can > generate a local policy module to allow this access. Do allow this access > for now by executing: # grep pickup /var/log/audit/audit.log | audit2allow > -M mypol # semodule -i mypol.pp > > Additional Information: Source Context > system_u:system_r:postfix_pickup_t:s0 Target Context > system_u:system_r:kernel_t:s0 Target Objects Unknown [ > system ] Source pickup Source Path > /usr/libexec/postfix/pickup Port <Unknown> Host > desk.localdomain Source RPM Packages postfix-2.6.6-2.2.el6_1 > Target RPM Packages Policy RPM > selinux-policy-3.7.19-126.el6_2.10 Selinux Enabled True > Policy Type targeted Enforcing Mode > Enforcing Host Name desk.localdomain Platform > Linux desk.localdomain 2.6.32-220.13.1.el6.x86_64 #1 SMP Tue Apr 17 > 23:56:34 BST 2012 x86_64 x86_64 Alert Count 24 First Seen > Fri 27 Apr 2012 02:46:55 PM MDT Last Seen Sun 29 Apr > 2012 05:10:32 AM MDT Local ID > 4b8e5292-93f1-4e69-8bb4-4ea70bc5232e > > Raw Audit Messages type=AVC msg=audit(1335697832.612:34911): avc: denied { > module_request } for pid=24226 comm="pickup" kmod="net-pf-10" > scontext=system_u:system_r:postfix_pickup_t:s0 > tcontext=system_u:system_r:kernel_t:s0 tclass=system > > > type=SYSCALL msg=audit(1335697832.612:34911): arch=x86_64 syscall=socket > success=no exit=EAFNOSUPPORT a0=a a1=1 a2=0 a3=7fff3ca82190 items=0 > ppid=1925 pid=24226 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pickup > exe=/usr/libexec/postfix/pickup subj=system_u:system_r:postfix_pickup_t:s0 > key=(null) > > Hash: pickup,postfix_pickup_t,kernel_t,system,module_request > > audit2allow > > #============= postfix_pickup_t ============== #!!!! This avc can be > allowed using the boolean 'domain_kernel_load_modules' > > allow postfix_pickup_t kernel_t:system module_request; > > audit2allow -R > > #============= postfix_pickup_t ============== #!!!! This avc can be > allowed using the boolean 'domain_kernel_load_modules' > > allow postfix_pickup_t kernel_t:system module_request; > > > _______________________________________________ CentOS mailing list > CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos These are caused because you disabled IPV6. http://danwalsh.livejournal.com/47118.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+eyMcACgkQrlYvE4MpobP3dACggHFgCjuCy4L47E9uEVfzKDFb bicAnjpYnYRhyEsskloHBPw6jhQ2SbYy =udKB -----END PGP SIGNATURE-----