[CentOS] SELinux is preventing /usr/libexec/postfix/pickup from module_request

Mon Apr 30 02:53:11 UTC 2012
David McGuffey <davidmcguffey at verizon.net>

Getting module_request errors from SELinux. Errors being thrown by
  metacity
  sendmail.postfix
  cleanup
  trivial-rewarite
  local
  postdrop
  pickup

All errors are essentially the same

System was working well until I began to apply some basic security
hardening configuration.

Postfix started complaining when I made /tmp noexec, nodev, nosuid, and
then did a mount --bind of /var/tmp under /tmp.

Backed that out the remount of /var/tmp and those errors went away. But
then these errors started showing up.

Here is an example of a postfix pickup error.  What is going on? I could
allow the module to load, but I want to understand what is going on and
the dangers of making the mod before I do it.



SELinux is preventing /usr/libexec/postfix/pickup from module_request
access on the system Unknown.

*****  Plugin catchall_boolean (89.3 confidence) suggests
*******************

If you want to allow all domains to have the kernel load modules
Then you must tell SELinux about this by enabling the
'domain_kernel_load_modules' boolean.
Do
setsebool -P domain_kernel_load_modules 1

*****  Plugin catchall (11.6 confidence) suggests
***************************

If you believe that pickup should be allowed module_request access on
the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pickup /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:postfix_pickup_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        pickup
Source Path                   /usr/libexec/postfix/pickup
Port                          <Unknown>
Host                          desk.localdomain
Source RPM Packages           postfix-2.6.6-2.2.el6_1
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-126.el6_2.10
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     desk.localdomain
Platform                      Linux desk.localdomain
2.6.32-220.13.1.el6.x86_64
                              #1 SMP Tue Apr 17 23:56:34 BST 2012 x86_64
x86_64
Alert Count                   24
First Seen                    Fri 27 Apr 2012 02:46:55 PM MDT
Last Seen                     Sun 29 Apr 2012 05:10:32 AM MDT
Local ID                      4b8e5292-93f1-4e69-8bb4-4ea70bc5232e

Raw Audit Messages
type=AVC msg=audit(1335697832.612:34911): avc:  denied
{ module_request } for  pid=24226 comm="pickup" kmod="net-pf-10"
scontext=system_u:system_r:postfix_pickup_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system


type=SYSCALL msg=audit(1335697832.612:34911): arch=x86_64 syscall=socket
success=no exit=EAFNOSUPPORT a0=a a1=1 a2=0 a3=7fff3ca82190 items=0
ppid=1925 pid=24226 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pickup
exe=/usr/libexec/postfix/pickup
subj=system_u:system_r:postfix_pickup_t:s0 key=(null)

Hash: pickup,postfix_pickup_t,kernel_t,system,module_request

audit2allow

#============= postfix_pickup_t ==============
#!!!! This avc can be allowed using the boolean
'domain_kernel_load_modules'

allow postfix_pickup_t kernel_t:system module_request;

audit2allow -R

#============= postfix_pickup_t ==============
#!!!! This avc can be allowed using the boolean
'domain_kernel_load_modules'

allow postfix_pickup_t kernel_t:system module_request;