FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-24-2008, 07:35 PM
Craig White
 
Default selinux & httpd & portmap

On Thu, 2008-07-24 at 15:23 -0400, Toby Bluhm wrote:
> Having problems starting httpd & portmapper
>
> #service httpd start
> /usr/sbin/httpd: error while loading shared libraries: libm.so.6: cannot
> open shared object file: No such file or directory
>
> and I traced it to selinux, which I had just turned on for the first time:
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: targeted
>
> I can
>
> #setsebool -P httpd_disable_trans on
>
> and httpd starts - but there's zero enforcing now as I understand it.
>
> Further digging & I get to:
>
> # cat /var/log/audit/audit.log | audit2allow -m local
>
> module local 1.0;
>
> require {
> type portmap_t;
> type httpd_t;
> type file_t;
> class lnk_file read;
> class file { getattr read execute };
> }
>
> #============= httpd_t ==============
> allow httpd_t file_t:file { read getattr execute };
> allow httpd_t file_t:lnk_file read;
>
> #============= portmap_t ==============
> allow portmap_t file_t:file { read getattr execute };
> allow portmap_t file_t:lnk_file read;
>
>
> Other stuff like postfix, postgrey, amavisd are working fine since
> turning selinux on.
>
> Before I make a mess of things with trying to make a new policy,
> shouldn't two basic services like portmap & httpd already be allowed to
> run out of the box by selinux?
>
> If not, am I going down the right path to get it working?
----
if you just turned selinux on after running the computer with it
disabled, you really need to relabel the entire filesystem, which does
take some time. The reason is that files have been installed/created
without the appropriate contexts and relabeling fixes that.

Suggest that you make sure you are fully updated, then
'touch /.autorelabel' then reboot (reboot at a time you choose because
it may take a long time to relabel every file on your system -
especially if you have a lot of files).

Craig

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-24-2008, 11:45 PM
Ian Blackwell
 
Default selinux & httpd & portmap

Craig White wrote:

Suggest that you make sure you are fully updated, then
'touch /.autorelabel' then reboot (reboot at a time you choose because
it may take a long time to relabel every file on your system -
especially if you have a lot of files).

Craig

What Craig implies is that your system won't be available for quite a
long time (relatively), while the relabel takes place. The boot time
with an autorelabel is very long, and you won't have access to the
server until the relabel is completed. So choose your time for the
reboot with that knowledge.


Ian
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-25-2008, 02:36 PM
Toby Bluhm
 
Default selinux & httpd & portmap

Ian Blackwell wrote:

Craig White wrote:

Suggest that you make sure you are fully updated, then
'touch /.autorelabel' then reboot (reboot at a time you choose because
it may take a long time to relabel every file on your system -
especially if you have a lot of files).

Craig

What Craig implies is that your system won't be available for quite a
long time (relatively), while the relabel takes place. The boot time
with an autorelabel is very long, and you won't have access to the
server until the relabel is completed. So choose your time for the
reboot with that knowledge.


Ian





No problems there - I'm getting my selinux feet wet on a test box. Not
quite ready to risk torching a production machine.




The relabel did take some time after a reboot - portmap & httpd started
ok. WHile postgrey, clamd, postfix and amavisd all started, none could
access the libs & dirs they needed to process emails.


So I disabled selinux, rebooted, made sure everything worked alright -
which it did. Then enabled permissive mode & rebooted & it relabeled
itself this time.


After running some things, send/receive email, it still wants to deny:


type=AVC msg=audit(1216990772.410:72): avc: denied { read } for
pid=2037 comm="clamd" path="/var/clamav/main.cvd" dev=md0 ino=980355
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_r:var_t:s0 tclass=file


type=AVC msg=audit(1216990777.968:73): avc: denied { read } for
pid=2037 comm="clamd" name="meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_rroc_t:s0 tclass=file


type=AVC msg=audit(1216990777.969:74): avc: denied { getattr } for
pid=2037 comm="clamd" path="/proc/meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_rroc_t:s0 tclass=file


type=AVC msg=audit(1216991822.928:113): avc: denied { signal } for
pid=2762 comm="postfix-script"
scontext=root:system_rostfix_master_t:s0
tcontext=root:system_r:initrc_t:s0 tclass=process


type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file


type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0
tclass=lnk_filetcontext=root:system_r:initrc_t:s0 tclass=process


type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file


type=AVC msg=audit(1216992166.372:123): avc: denied { unlink } for
pid=2116 comm="amavisd" name="p002.exe" dev=md0 ino=1005252
scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file


type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file




SO - is it normal to have to update policies on basic services? Am I
missing an rpm?





--
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240 ext203

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-25-2008, 09:12 PM
Craig White
 
Default selinux & httpd & portmap

On Fri, 2008-07-25 at 10:36 -0400, Toby Bluhm wrote:
> Ian Blackwell wrote:
> > Craig White wrote:
> >> Suggest that you make sure you are fully updated, then
> >> 'touch /.autorelabel' then reboot (reboot at a time you choose because
> >> it may take a long time to relabel every file on your system -
> >> especially if you have a lot of files).
> >>
> >> Craig
> >>
> > What Craig implies is that your system won't be available for quite a
> > long time (relatively), while the relabel takes place. The boot time
> > with an autorelabel is very long, and you won't have access to the
> > server until the relabel is completed. So choose your time for the
> > reboot with that knowledge.
> >
> > Ian
> >
> >
>
>
> No problems there - I'm getting my selinux feet wet on a test box. Not
> quite ready to risk torching a production machine.
>
>
>
> The relabel did take some time after a reboot - portmap & httpd started
> ok. WHile postgrey, clamd, postfix and amavisd all started, none could
> access the libs & dirs they needed to process emails.
>
> So I disabled selinux, rebooted, made sure everything worked alright -
> which it did. Then enabled permissive mode & rebooted & it relabeled
> itself this time.
>
> After running some things, send/receive email, it still wants to deny:
>
>
> type=AVC msg=audit(1216990772.410:72): avc: denied { read } for
> pid=2037 comm="clamd" path="/var/clamav/main.cvd" dev=md0 ino=980355
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_ubject_r:var_t:s0 tclass=file
>
> type=AVC msg=audit(1216990777.968:73): avc: denied { read } for
> pid=2037 comm="clamd" name="meminfo" dev=proc ino=-268435454
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_ubject_rroc_t:s0 tclass=file
>
> type=AVC msg=audit(1216990777.969:74): avc: denied { getattr } for
> pid=2037 comm="clamd" path="/proc/meminfo" dev=proc ino=-268435454
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_ubject_rroc_t:s0 tclass=file
>
> type=AVC msg=audit(1216991822.928:113): avc: denied { signal } for
> pid=2762 comm="postfix-script"
> scontext=root:system_rostfix_master_t:s0
> tcontext=root:system_r:initrc_t:s0 tclass=process
>
> type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
> pid=2116 comm="amavisd" name="p002.exe"
> scontext=system_u:system_r:amavis_t:s0
> tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file
>
> type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
> pid=2970 comm="arj"
> path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
> dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
> tcontext=system_ubject_r:amavis_var_lib_t:s0
> tclass=lnk_filetcontext=root:system_r:initrc_t:s0 tclass=process
>
> type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
> pid=2116 comm="amavisd" name="p002.exe"
> scontext=system_u:system_r:amavis_t:s0
> tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file
>
> type=AVC msg=audit(1216992166.372:123): avc: denied { unlink } for
> pid=2116 comm="amavisd" name="p002.exe" dev=md0 ino=1005252
> scontext=system_u:system_r:amavis_t:s0
> tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file
>
> type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
> pid=2970 comm="arj"
> path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
> dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
> tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file
>
>
>
> SO - is it normal to have to update policies on basic services? Am I
> missing an rpm?
----
those aren't basic services but are packages that are supplied by
repositories other than CentOS/upstream and apparently don't have all of
their files/folder labeled properly.

what do you get from command...

sealert -a /var/log/dmesg
or
sealert -a /var/log/audit/audit.log

Craig

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-28-2008, 01:24 PM
Toby Bluhm
 
Default selinux & httpd & portmap

Craig White wrote:

On Fri, 2008-07-25 at 10:36 -0400, Toby Bluhm wrote:

Ian Blackwell wrote:

Craig White wrote:

Suggest that you make sure you are fully updated, then
'touch /.autorelabel' then reboot (reboot at a time you choose because
it may take a long time to relabel every file on your system -
especially if you have a lot of files).

Craig

What Craig implies is that your system won't be available for quite a
long time (relatively), while the relabel takes place. The boot time
with an autorelabel is very long, and you won't have access to the
server until the relabel is completed. So choose your time for the
reboot with that knowledge.


Ian




No problems there - I'm getting my selinux feet wet on a test box. Not
quite ready to risk torching a production machine.




The relabel did take some time after a reboot - portmap & httpd started
ok. WHile postgrey, clamd, postfix and amavisd all started, none could
access the libs & dirs they needed to process emails.


So I disabled selinux, rebooted, made sure everything worked alright -
which it did. Then enabled permissive mode & rebooted & it relabeled
itself this time.


After running some things, send/receive email, it still wants to deny:


type=AVC msg=audit(1216990772.410:72): avc: denied { read } for
pid=2037 comm="clamd" path="/var/clamav/main.cvd" dev=md0 ino=980355
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_r:var_t:s0 tclass=file


type=AVC msg=audit(1216990777.968:73): avc: denied { read } for
pid=2037 comm="clamd" name="meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_rroc_t:s0 tclass=file


type=AVC msg=audit(1216990777.969:74): avc: denied { getattr } for
pid=2037 comm="clamd" path="/proc/meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_rroc_t:s0 tclass=file


type=AVC msg=audit(1216991822.928:113): avc: denied { signal } for
pid=2762 comm="postfix-script"
scontext=root:system_rostfix_master_t:s0
tcontext=root:system_r:initrc_t:s0 tclass=process


type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file


type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0
tclass=lnk_filetcontext=root:system_r:initrc_t:s0 tclass=process


type=AVC msg=audit(1216992166.348:121): avc: denied { create } for
pid=2116 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file


type=AVC msg=audit(1216992166.372:123): avc: denied { unlink } for
pid=2116 comm="amavisd" name="p002.exe" dev=md0 ino=1005252
scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file


type=AVC msg=audit(1216992166.403:124): avc: denied { getattr } for
pid=2970 comm="arj"
path="/var/amavis/tmp/amavis-20080725T091655-02116/parts/p002.arj"
dev=md0 ino=1005252 scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file




SO - is it normal to have to update policies on basic services? Am I
missing an rpm?

----
those aren't basic services but are packages that are supplied by


postfix is centos, the rest are from rpmforge


repositories other than CentOS/upstream and apparently don't have all of
their files/folder labeled properly.

what do you get from command...

sealert -a /var/log/dmesg



zero alerts



or
sealert -a /var/log/audit/audit.log




lots of stuff from when it wasn't labeled right, so I stripped all
audit.log entries before the last DAEMON_START to a file & ran sealert
on it.



found 15 alerts in new_audit_log
--------------------------------------------------------------------------------


Summary:

SELinux is preventing clamd (clamd_t) "search" to ./kernel
(sysctl_kernel_t).


Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by clamd. It is not expected that this
access is
required by clamd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for ./kernel,

restorecon -v './kernel'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:clamd_t:s0
Target Context system_ubject_r:sysctl_kernel_t:s0
Target Objects ./kernel [ dir ]
Source clamd
Source Path /usr/sbin/clamd
Port <Unknown>
Host <Unknown>
Source RPM Packages clamd-0.93.3-1.el5.rf
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 1
First Seen Fri Jul 25 14:44:44 2008
Last Seen Fri Jul 25 14:44:44 2008
Local ID 8e3e4626-632c-4abc-b520-89c65771babf
Line Numbers 8, 9, 10

Raw Audit Messages

type=AVC msg=audit(1217011484.818:9): avc: denied { search } for
pid=2026 comm="clamd" name="kernel" dev=proc ino=-268435416
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_r:sysctl_kernel_t:s0 tclass=dir


type=AVC msg=audit(1217011484.818:9): avc: denied { read } for
pid=2026 comm="clamd" name="ngroups_max" dev=proc ino=-268435368
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_r:sysctl_kernel_t:s0 tclass=file


type=SYSCALL msg=audit(1217011484.818:9): arch=40000003 syscall=5
success=yes exit=3 a0=265c24 a1=0 a2=27fff4 a3=281994 items=0 ppid=2025
pid=2026 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd"
subj=system_u:system_r:clamd_t:s0 key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing clamd (clamd_t) "read" to ./daily.cld (var_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by clamd. It is not expected that this
access is
required by clamd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for ./daily.cld,

restorecon -v './daily.cld'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:clamd_t:s0
Target Context system_ubject_r:var_t:s0
Target Objects ./daily.cld [ file ]
Source clamd
Source Path /usr/sbin/clamd
Port <Unknown>
Host <Unknown>
Source RPM Packages clamd-0.93.3-1.el5.rf
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 2
First Seen Fri Jul 25 14:44:44 2008
Last Seen Fri Jul 25 15:38:04 2008
Local ID c0eb4a2f-6b73-4632-8f93-ca7dc67bb0f2
Line Numbers 11, 12, 102, 103

Raw Audit Messages

type=AVC msg=audit(1217014684.863:88): avc: denied { read } for
pid=2027 comm="clamd" name="daily.cld" dev=md0 ino=980633
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1217014684.863:88): arch=40000003 syscall=33
success=yes exit=0 a0=b156a88 a1=4 a2=3e1e20 a3=b156a88 items=0 ppid=1
pid=2027 auid=4294967295 uid=101 gid=203 euid=101 suid=101 fsuid=101
egid=203 sgid=203 fsgid=203 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing clamd (clamd_t) "getattr" to /var/clamav/daily.cld
(var_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by clamd. It is not expected that this
access is
required by clamd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for /var/clamav/daily.cld,

restorecon -v '/var/clamav/daily.cld'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:clamd_t:s0
Target Context system_ubject_r:var_t:s0
Target Objects /var/clamav/daily.cld [ file ]
Source clamd
Source Path /usr/sbin/clamd
Port <Unknown>
Host <Unknown>
Source RPM Packages clamd-0.93.3-1.el5.rf
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 2
First Seen Fri Jul 25 14:44:44 2008
Last Seen Fri Jul 25 15:38:04 2008
Local ID 0cde5b6e-6fa7-494a-99f8-9553ddee87c2
Line Numbers 13, 14, 100, 101

Raw Audit Messages

type=AVC msg=audit(1217014684.851:87): avc: denied { getattr } for
pid=2027 comm="clamd" path="/var/clamav/daily.cld" dev=md0 ino=980633
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1217014684.851:87): arch=40000003 syscall=195
success=yes exit=0 a0=848e760 a1=bff5d4e0 a2=27fff4 a3=3 items=0 ppid=1
pid=2027 auid=4294967295 uid=101 gid=203 euid=101 suid=101 fsuid=101
egid=203 sgid=203 fsgid=203 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing clamd (clamd_t) "read" to ./clamav (var_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by clamd. It is not expected that this
access is
required by clamd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for ./clamav,

restorecon -v './clamav'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:clamd_t:s0
Target Context system_ubject_r:var_t:s0
Target Objects ./clamav [ dir ]
Source clamd
Source Path /usr/sbin/clamd
Port <Unknown>
Host <Unknown>
Source RPM Packages clamd-0.93.3-1.el5.rf
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 6
First Seen Fri Jul 25 14:44:45 2008
Last Seen Sun Jul 27 19:27:34 2008
Local ID 01bbf449-7c24-4dd9-b484-a46df4dfe4af
Line Numbers 15, 16, 98, 99, 104, 105, 1678, 1679,
1686, 1687,

2349, 2350

Raw Audit Messages

type=AVC msg=audit(1217201254.144:2322): avc: denied { read } for
pid=2027 comm="clamd" name="clamav" dev=md0 ino=980353
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_r:var_t:s0 tclass=dir


type=SYSCALL msg=audit(1217201254.144:2322): arch=40000003 syscall=5
success=yes exit=7 a0=863ad40 a1=18800 a2=77d0 a3=1 items=0 ppid=1
pid=2027 auid=4294967295 uid=101 gid=203 euid=101 suid=101 fsuid=101
egid=203 sgid=203 fsgid=203 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing clamd (clamd_t) "read" to ./meminfo (proc_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by clamd. It is not expected that this
access is
required by clamd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for ./meminfo,

restorecon -v './meminfo'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:clamd_t:s0
Target Context system_ubject_rroc_t:s0
Target Objects ./meminfo [ file ]
Source clamd
Source Path /usr/sbin/clamd
Port <Unknown>
Host <Unknown>
Source RPM Packages clamd-0.93.3-1.el5.rf
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 1
First Seen Fri Jul 25 14:44:52 2008
Last Seen Fri Jul 25 14:44:52 2008
Local ID 814dc6d4-e410-48f1-84ad-d018202ce72b
Line Numbers 17, 18

Raw Audit Messages

type=AVC msg=audit(1217011492.129:13): avc: denied { read } for
pid=2026 comm="clamd" name="meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_rroc_t:s0 tclass=file


type=SYSCALL msg=audit(1217011492.129:13): arch=40000003 syscall=5
success=yes exit=5 a0=265fba a1=0 a2=1b6 a3=8492ca8 items=0 ppid=2025
pid=2026 auid=4294967295 uid=101 gid=203 euid=101 suid=101 fsuid=101
egid=203 sgid=203 fsgid=203 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing clamd (clamd_t) "getattr" to /proc/meminfo (proc_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by clamd. It is not expected that this
access is
required by clamd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for /proc/meminfo,

restorecon -v '/proc/meminfo'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:clamd_t:s0
Target Context system_ubject_rroc_t:s0
Target Objects /proc/meminfo [ file ]
Source clamd
Source Path /usr/sbin/clamd
Port <Unknown>
Host <Unknown>
Source RPM Packages clamd-0.93.3-1.el5.rf
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 1
First Seen Fri Jul 25 14:44:52 2008
Last Seen Fri Jul 25 14:44:52 2008
Local ID bc248f36-29cb-4d71-ad52-f572b86f2b51
Line Numbers 19, 20

Raw Audit Messages

type=AVC msg=audit(1217011492.130:14): avc: denied { getattr } for
pid=2026 comm="clamd" path="/proc/meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_rroc_t:s0 tclass=file


type=SYSCALL msg=audit(1217011492.130:14): arch=40000003 syscall=197
success=yes exit=0 a0=5 a1=bff5b9bc a2=27fff4 a3=8492ca8 items=0
ppid=2025 pid=2026 auid=4294967295 uid=101 gid=203 euid=101 suid=101
fsuid=101 egid=203 sgid=203 fsgid=203 tty=(none) ses=4294967295
comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0
key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing smtpd (postfix_smtpd_t) "write" to socket
(postfix_spool_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by smtpd. It is not expected that this
access is
required by smtpd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for socket,

restorecon -v 'socket'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_rostfix_smtpd_t:s0
Target Context system_ubject_rostfix_spool_t:s0
Target Objects socket [ sock_file ]
Source smtpd
Source Path /usr/libexec/postfix/smtpd
Port <Unknown>
Host <Unknown>
Source RPM Packages postfix-2.3.3-2
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 2
First Seen Fri Jul 25 15:38:02 2008
Last Seen Sun Jul 27 19:09:46 2008
Local ID f63b59e2-f942-4e7c-ad25-6271502a999d
Line Numbers 87, 88, 89, 2334, 2335, 2336

Raw Audit Messages

type=AVC msg=audit(1217200186.514:2309): avc: denied { write } for
pid=16433 comm="smtpd" name="socket" dev=md0 ino=980618
scontext=system_u:system_rostfix_smtpd_t:s0
tcontext=system_ubject_rostfix_spool_t:s0 tclass=sock_file


type=AVC msg=audit(1217200186.514:2309): avc: denied { connectto } for
pid=16433 comm="smtpd" path="/var/spool/postfix/postgrey/socket"
scontext=system_u:system_rostfix_smtpd_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket


type=SYSCALL msg=audit(1217200186.514:2309): arch=40000003 syscall=102
success=yes exit=0 a0=3 a1=bfd9f190 a2=d5bff4 a3=64 items=0 ppid=2162
pid=16433 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89
sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd"
exe="/usr/libexec/postfix/smtpd"
subj=system_u:system_rostfix_smtpd_t:s0 key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing amavisd (amavis_t) "create" to p002.exe
(amavis_var_lib_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by amavisd. It is not expected that this
access
is required by amavisd and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is

causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for p002.exe,

restorecon -v 'p002.exe'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:amavis_t:s0
Target Context system_ubject_r:amavis_var_lib_t:s0
Target Objects p002.exe [ lnk_file ]
Source amavisd
Source Path /usr/bin/perl
Port <Unknown>
Host <Unknown>
Source RPM Packages perl-5.8.8-10.el5_2.3
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 1
First Seen Fri Jul 25 15:38:04 2008
Last Seen Fri Jul 25 15:38:04 2008
Local ID 7cd467d2-9778-480f-b821-95457917f955
Line Numbers 90, 91

Raw Audit Messages

type=AVC msg=audit(1217014684.763:82): avc: denied { create } for
pid=2114 comm="amavisd" name="p002.exe"
scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1217014684.763:82): arch=40000003 syscall=83
success=yes exit=0 a0=b3c67c0 a1=bab1ea8 a2=3f85cc a3=91c1008 items=0
ppid=2086 pid=2114 auid=4294967295 uid=102 gid=204 euid=102 suid=102
fsuid=102 egid=204 sgid=204 fsgid=204 tty=(none) ses=4294967295
comm="amavisd" exe="/usr/bin/perl" subj=system_u:system_r:amavis_t:s0
key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing lha (amavis_t) "read" to p002.exe (amavis_var_lib_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by lha. It is not expected that this
access is

required by lha and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for p002.exe,

restorecon -v 'p002.exe'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:amavis_t:s0
Target Context system_ubject_r:amavis_var_lib_t:s0
Target Objects p002.exe [ lnk_file ]
Source lha
Source Path /usr/bin/lha
Port <Unknown>
Host <Unknown>
Source RPM Packages lha-1.14i-19.2.2.el5.rf
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 1
First Seen Fri Jul 25 15:38:04 2008
Last Seen Fri Jul 25 15:38:04 2008
Local ID 42bed321-a5cc-42f7-9ccd-306cceb4d84d
Line Numbers 92, 93

Raw Audit Messages

type=AVC msg=audit(1217014684.788:83): avc: denied { read } for
pid=2791 comm="lha" name="p002.exe" dev=md0 ino=1005163
scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1217014684.788:83): arch=40000003 syscall=195
success=yes exit=0 a0=84f9040 a1=bfd2f460 a2=27fff4 a3=3 items=0
ppid=2114 pid=2791 auid=4294967295 uid=102 gid=204 euid=102 suid=102
fsuid=102 egid=204 sgid=204 fsgid=204 tty=(none) ses=4294967295
comm="lha" exe="/usr/bin/lha" subj=system_u:system_r:amavis_t:s0 key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing amavisd (amavis_t) "unlink" to p002.exe
(amavis_var_lib_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by amavisd. It is not expected that this
access
is required by amavisd and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is

causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for p002.exe,

restorecon -v 'p002.exe'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:amavis_t:s0
Target Context system_ubject_r:amavis_var_lib_t:s0
Target Objects p002.exe [ lnk_file ]
Source amavisd
Source Path /usr/bin/perl
Port <Unknown>
Host <Unknown>
Source RPM Packages perl-5.8.8-10.el5_2.3
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 1
First Seen Fri Jul 25 15:38:04 2008
Last Seen Fri Jul 25 15:38:04 2008
Local ID 96f869ca-7802-4ac0-b6ff-ce6c87dc2b0b
Line Numbers 94, 95

Raw Audit Messages

type=AVC msg=audit(1217014684.791:84): avc: denied { unlink } for
pid=2114 comm="amavisd" name="p002.exe" dev=md0 ino=1005163
scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1217014684.791:84): arch=40000003 syscall=10
success=yes exit=0 a0=b5478f0 a1=a9d13f8 a2=3f85cc a3=b5478f0 items=0
ppid=2086 pid=2114 auid=4294967295 uid=102 gid=204 euid=102 suid=102
fsuid=102 egid=204 sgid=204 fsgid=204 tty=(none) ses=4294967295
comm="amavisd" exe="/usr/bin/perl" subj=system_u:system_r:amavis_t:s0
key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing arj (amavis_t) "getattr" to
/var/amavis/tmp/amavis-20080725T153804-02114/parts/p002.arj
(amavis_var_lib_t).


Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by arj. It is not expected that this
access is

required by arj and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for
/var/amavis/tmp/amavis-20080725T153804-02114/parts/p002.arj,

restorecon -v '/var/amavis/tmp/amavis-20080725T153804-02114/parts/p002.arj'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:amavis_t:s0
Target Context system_ubject_r:amavis_var_lib_t:s0
Target Objects /var/amavis/tmp/amavis-
20080725T153804-02114/parts/p002.arj [
lnk_file ]

Source arj
Source Path /usr/bin/arj
Port <Unknown>
Host <Unknown>
Source RPM Packages arj-3.10.22-1.el5.centos
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 1
First Seen Fri Jul 25 15:38:04 2008
Last Seen Fri Jul 25 15:38:04 2008
Local ID 258c2e84-640c-4b90-8d64-c377e0c4f537
Line Numbers 96, 97

Raw Audit Messages

type=AVC msg=audit(1217014684.819:85): avc: denied { getattr } for
pid=2792 comm="arj"
path="/var/amavis/tmp/amavis-20080725T153804-02114/parts/p002.arj"
dev=md0 ino=1005163 scontext=system_u:system_r:amavis_t:s0
tcontext=system_ubject_r:amavis_var_lib_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1217014684.819:85): arch=40000003 syscall=196
success=yes exit=0 a0=9b96060 a1=bf81a740 a2=27fff4 a3=3 items=0
ppid=2114 pid=2792 auid=4294967295 uid=102 gid=204 euid=102 suid=102
fsuid=102 egid=204 sgid=204 fsgid=204 tty=(none) ses=4294967295
comm="arj" exe="/usr/bin/arj" subj=system_u:system_r:amavis_t:s0 key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing clamd (clamd_t) "getattr" to /var/clamav/daily.cld
(var_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by clamd. It is not expected that this
access is
required by clamd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for /var/clamav/daily.cld,

restorecon -v '/var/clamav/daily.cld'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:clamd_t:s0
Target Context user_ubject_r:var_t:s0
Target Objects /var/clamav/daily.cld [ file ]
Source clamd
Source Path /usr/sbin/clamd
Port <Unknown>
Host <Unknown>
Source RPM Packages clamd-0.93.3-1.el5.rf
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 3
First Seen Sun Jul 27 04:02:05 2008
Last Seen Sun Jul 27 19:27:34 2008
Local ID 6e4ae90d-cd65-446e-a5cb-bdda2d9db2ca
Line Numbers 1680, 1681, 1692, 1693, 2351, 2352

Raw Audit Messages

type=AVC msg=audit(1217201254.145:2323): avc: denied { getattr } for
pid=2027 comm="clamd" path="/var/clamav/daily.cld" dev=md0 ino=980630
scontext=system_u:system_r:clamd_t:s0 tcontext=user_ubject_r:var_t:s0
tclass=file


type=SYSCALL msg=audit(1217201254.145:2323): arch=40000003 syscall=195
success=yes exit=0 a0=8cae938 a1=bff5d470 a2=27fff4 a3=3 items=0 ppid=1
pid=2027 auid=4294967295 uid=101 gid=203 euid=101 suid=101 fsuid=101
egid=203 sgid=203 fsgid=203 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing clamd (clamd_t) "getattr" to /var/clamav/main.cvd
(var_t).


Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by clamd. It is not expected that this
access is
required by clamd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for /var/clamav/main.cvd,

restorecon -v '/var/clamav/main.cvd'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:clamd_t:s0
Target Context system_ubject_r:var_t:s0
Target Objects /var/clamav/main.cvd [ file ]
Source clamd
Source Path /usr/sbin/clamd
Port <Unknown>
Host <Unknown>
Source RPM Packages clamd-0.93.3-1.el5.rf
Target RPM Packages clamav-db-0.93.3-1.el5.rf
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 2
First Seen Sun Jul 27 04:02:05 2008
Last Seen Sun Jul 27 04:02:07 2008
Local ID 097da0d6-83ad-4eed-a796-0b56e61320bb
Line Numbers 1682, 1683, 1690, 1691

Raw Audit Messages

type=AVC msg=audit(1217145727.816:1668): avc: denied { getattr } for
pid=2027 comm="clamd" path="/var/clamav/main.cvd" dev=md0 ino=980355
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1217145727.816:1668): arch=40000003 syscall=197
success=yes exit=0 a0=7 a1=bff5ad54 a2=27fff4 a3=9ebdb08 items=0 ppid=1
pid=2027 auid=4294967295 uid=101 gid=203 euid=101 suid=101 fsuid=101
egid=203 sgid=203 fsgid=203 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing clamd (clamd_t) "read" to ./daily.cld (var_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by clamd. It is not expected that this
access is
required by clamd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for ./daily.cld,

restorecon -v './daily.cld'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:clamd_t:s0
Target Context user_ubject_r:var_t:s0
Target Objects ./daily.cld [ file ]
Source clamd
Source Path /usr/sbin/clamd
Port <Unknown>
Host <Unknown>
Source RPM Packages clamd-0.93.3-1.el5.rf
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 2
First Seen Sun Jul 27 04:02:05 2008
Last Seen Sun Jul 27 04:03:46 2008
Local ID b9b5eb92-3729-437b-ab59-b68d57669b4d
Line Numbers 1684, 1685, 1694, 1695

Raw Audit Messages

type=AVC msg=audit(1217145826.535:1670): avc: denied { read } for
pid=2027 comm="clamd" name="daily.cld" dev=md0 ino=980630
scontext=system_u:system_r:clamd_t:s0 tcontext=user_ubject_r:var_t:s0
tclass=file


type=SYSCALL msg=audit(1217145826.535:1670): arch=40000003 syscall=33
success=yes exit=0 a0=848dff0 a1=4 a2=3e1e20 a3=848dff0 items=0 ppid=1
pid=2027 auid=4294967295 uid=101 gid=203 euid=101 suid=101 fsuid=101
egid=203 sgid=203 fsgid=203 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)




--------------------------------------------------------------------------------


Summary:

SELinux is preventing clamd (clamd_t) "read" to ./main.cvd (var_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by clamd. It is not expected that this
access is
required by clamd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for ./main.cvd,

restorecon -v './main.cvd'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:clamd_t:s0
Target Context system_ubject_r:var_t:s0
Target Objects ./main.cvd [ file ]
Source clamd
Source Path /usr/sbin/clamd
Port <Unknown>
Host <Unknown>
Source RPM Packages clamd-0.93.3-1.el5.rf
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name mail.alltechmedicalsystemsamerica.com
Platform Linux mail.alltechmedicalsystemsamerica.com
2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
13:49:24 EDT

2008 i686 athlon
Alert Count 1
First Seen Sun Jul 27 04:02:07 2008
Last Seen Sun Jul 27 04:02:07 2008
Local ID abf945db-c7b3-4d66-861f-16f4ae090452
Line Numbers 1688, 1689

Raw Audit Messages

type=AVC msg=audit(1217145727.816:1667): avc: denied { read } for
pid=2027 comm="clamd" name="main.cvd" dev=md0 ino=980355
scontext=system_u:system_r:clamd_t:s0
tcontext=system_ubject_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1217145727.816:1667): arch=40000003 syscall=5
success=yes exit=7 a0=b43c078 a1=0 a2=1b6 a3=9ebdb08 items=0 ppid=1
pid=2027 auid=4294967295 uid=101 gid=203 euid=101 suid=101 fsuid=101
egid=203 sgid=203 fsgid=203 tty=(none) ses=4294967295 comm="clamd"
exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)



--
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240 ext203

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-28-2008, 03:13 PM
Craig White
 
Default selinux & httpd & portmap

On Mon, 2008-07-28 at 09:24 -0400, Toby Bluhm wrote:

> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for ./kernel,
>
> restorecon -v './kernel'
----
did you try this?
----
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:clamd_t:s0
> Target Context system_ubject_r:sysctl_kernel_t:s0
> Target Objects ./kernel [ dir ]
> Source clamd
> Source Path /usr/sbin/clamd
> Port <Unknown>
> Host <Unknown>
> Source RPM Packages clamd-0.93.3-1.el5.rf
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name catchall_file
> Host Name mail.alltechmedicalsystemsamerica.com
> Platform Linux mail.alltechmedicalsystemsamerica.com
> 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
> 13:49:24 EDT
> 2008 i686 athlon
> Alert Count 1
> First Seen Fri Jul 25 14:44:44 2008
> Last Seen Fri Jul 25 14:44:44 2008
> Local ID 8e3e4626-632c-4abc-b520-89c65771babf
> Line Numbers 8, 9, 10
>
> Raw Audit Messages
>
> type=AVC msg=audit(1217011484.818:9): avc: denied { search } for
> pid=2026 comm="clamd" name="kernel" dev=proc ino=-268435416
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_ubject_r:sysctl_kernel_t:s0 tclass=dir
>
> type=AVC msg=audit(1217011484.818:9): avc: denied { read } for
> pid=2026 comm="clamd" name="ngroups_max" dev=proc ino=-268435368
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_ubject_r:sysctl_kernel_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1217011484.818:9): arch=40000003 syscall=5
> success=yes exit=3 a0=265c24 a1=0 a2=27fff4 a3=281994 items=0 ppid=2025
> pid=2026 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd"
> subj=system_u:system_r:clamd_t:s0 key=(null)
----
this one is a bit beyond me unless the

restorecon -v './kernel'

works - you might want to check in on the selinux-list...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Craig

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-28-2008, 03:14 PM
Craig White
 
Default selinux & httpd & portmap

On Mon, 2008-07-28 at 09:24 -0400, Toby Bluhm wrote:
> Summary:
>
> SELinux is preventing clamd (clamd_t) "read" to ./daily.cld (var_t).
>
> Detailed Description:
>
> [SELinux is in permissive mode, the operation would have been denied
> but was
> permitted due to permissive mode.]
>
> SELinux denied access requested by clamd. It is not expected that
> this
> access is
> required by clamd and this access may signal an intrusion attempt. It
> is
> also
> possible that the specific version or configuration of the application
> is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try
> to
> restore
> the default system file context for ./daily.cld,
>
> restorecon -v './daily.cld'
>
> If this does not work, there is currently no automatic way to allow
> this
> access.
> Instead, you can generate a local policy module to allow this access
> -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:clamd_t:s0
> Target Context system_ubject_r:var_t:s0
> Target Objects ./daily.cld [ file ]
> Source clamd
> Source Path /usr/sbin/clamd
> Port <Unknown>
> Host <Unknown>
> Source RPM Packages clamd-0.93.3-1.el5.rf
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name catchall_file
> Host Name mail.alltechmedicalsystemsamerica.com
> Platform Linux
> mail.alltechmedicalsystemsamerica.com
> 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25
> 13:49:24 EDT
> 2008 i686 athlon
> Alert Count 2
> First Seen Fri Jul 25 14:44:44 2008
> Last Seen Fri Jul 25 15:38:04 2008
> Local ID c0eb4a2f-6b73-4632-8f93-ca7dc67bb0f2
> Line Numbers 11, 12, 102, 103
>
> Raw Audit Messages
>
> type=AVC msg=audit(1217014684.863:88): avc: denied { read } for
> pid=2027 comm="clamd" name="daily.cld" dev=md0 ino=980633
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_ubject_r:var_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1217014684.863:88): arch=40000003 syscall=33
> success=yes exit=0 a0=b156a88 a1=4 a2=3e1e20 a3=b156a88 items=0
> ppid=1
> pid=2027 auid=4294967295 uid=101 gid=203 euid=101 suid=101 fsuid=101
> egid=203 sgid=203 fsgid=203 tty=(none) ses=4294967295 comm="clamd"
> exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)
----
you definitely want to run...

restorecon -v './var/clamav/daily.cld'
or something like...
chcon -t system_u:system_r:clamd_t:s0 /var/clamav/daily.cld

Craig

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-28-2008, 03:53 PM
Craig White
 
Default selinux & httpd & portmap

On Mon, 2008-07-28 at 09:24 -0400, Toby Bluhm wrote:

> >> SO - is it normal to have to update policies on basic services? Am I
> >> missing an rpm?
> > ----
> > those aren't basic services but are packages that are supplied by
>
> postfix is centos, the rest are from rpmforge
>
> > repositories other than CentOS/upstream and apparently don't have all of
> > their files/folder labeled properly.
> >
> > what do you get from command...
> >
> > sealert -a /var/log/dmesg
>
>
> zero alerts
>
>
> > or
> > sealert -a /var/log/audit/audit.log
> >
>
>
> lots of stuff from when it wasn't labeled right, so I stripped all
> audit.log entries before the last DAEMON_START to a file & ran sealert
> on it.
----
I just want to point out that the issue isn't with postfix but rather
amavisd and how/where amavisd connects/communicates with the various
parts and pieces.

I'm afraid that I can't be too much help here because I use MailScanner
and not amavisd but the SELinux mail list could help you work through
these things (I'm presuming that amavisd hasn't worked through all of
their contexts).

Craig

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-28-2008, 06:01 PM
Toby Bluhm
 
Default selinux & httpd & portmap

Craig White wrote:

On Mon, 2008-07-28 at 09:24 -0400, Toby Bluhm wrote:





----
I just want to point out that the issue isn't with postfix but rather
amavisd and how/where amavisd connects/communicates with the various
parts and pieces.

I'm afraid that I can't be too much help here because I use MailScanner
and not amavisd but the SELinux mail list could help you work through
these things (I'm presuming that amavisd hasn't worked through all of
their contexts).




Sounds like my situation is not completely unexpected. Thanks for your
hints - I'll follow up on them.





--
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240 ext203

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-28-2008, 06:21 PM
MHR
 
Default selinux & httpd & portmap

Tony,

1) Please edit your replies to remove unnecessary information.

2) If you need to present this large of an amount of data, please
include it in an attachment.

Thanks.

mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org