FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-08-2008, 01:17 PM
Jan Kasprzak
 
Default Postfix avcs ( Enabling SELinux on a custom kernel)

Stephen Smalley wrote:
: Your options would seem to be:
: - use an initrd (easiest),

OK, I did the above. Thanks!

Now I have problems running Postfix - sample avcs are the
following:

type=1400 audit(1215522639.630:102): avc: denied { sys_chroot } for pid=7367 comm="cleanup" capability=18 scontext=system_u:system_rostfix_cleanup_t:s0 tcontext=system_u:system_rostfix_cleanup_t:s0 tclass=capability
type=1400 audit(1215522639.766:103): avc: denied { sys_chroot } for pid=7369 comm="trivial-rewrite" capability=18 scontext=system_u:system_rostfix_master_t:s0 tcontext=system_u:system_rostfix_master_t:s0 tclass=capability
type=1400 audit(1215522640.693:104): avc: denied { sys_chroot } for pid=7370 comm="smtp" capability=18 scontext=system_u:system_rostfix_smtp_t:s0 tcontext=system_u:system_rostfix_smtp_t:s0 tclass=capability
type=1400 audit(1215522640.760:105): avc: denied { sys_chroot } for pid=7371 comm="bounce" capability=18 scontext=system_u:system_rostfix_bounce_t:s0 tcontext=system_u:system_rostfix_bounce_t:s0 tclass=capability

I have ran it through audit2allow -m localpostfix > localpostfix.te,
comp[iled it using

checkmodule -M -m -o localpostfix.mod localpostfix.te
semodule_package -o localpostfix.pp -m localpostfix.mod

but when I try to load it using "semodule -i localpostfix.pp",
the semodule command hangs for several minutes, eating almost 100 % CPU.
After that, it fails with

libsemanage.dbase_llist_query: could not query record value (No such file or directory).

Tried with both "setenforce 0" and "setenforce 1". How can I fix it?
Thanks,

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-08-2008, 01:23 PM
Stephen Smalley
 
Default Postfix avcs ( Enabling SELinux on a custom kernel)

On Tue, 2008-07-08 at 15:17 +0200, Jan Kasprzak wrote:
> Stephen Smalley wrote:
> : Your options would seem to be:
> : - use an initrd (easiest),
>
> OK, I did the above. Thanks!
>
> Now I have problems running Postfix - sample avcs are the
> following:
>
> type=1400 audit(1215522639.630:102): avc: denied { sys_chroot } for pid=7367 comm="cleanup" capability=18 scontext=system_u:system_rostfix_cleanup_t:s0 tcontext=system_u:system_rostfix_cleanup_t:s0 tclass=capability
> type=1400 audit(1215522639.766:103): avc: denied { sys_chroot } for pid=7369 comm="trivial-rewrite" capability=18 scontext=system_u:system_rostfix_master_t:s0 tcontext=system_u:system_rostfix_master_t:s0 tclass=capability
> type=1400 audit(1215522640.693:104): avc: denied { sys_chroot } for pid=7370 comm="smtp" capability=18 scontext=system_u:system_rostfix_smtp_t:s0 tcontext=system_u:system_rostfix_smtp_t:s0 tclass=capability
> type=1400 audit(1215522640.760:105): avc: denied { sys_chroot } for pid=7371 comm="bounce" capability=18 scontext=system_u:system_rostfix_bounce_t:s0 tcontext=system_u:system_rostfix_bounce_t:s0 tclass=capability
>
> I have ran it through audit2allow -m localpostfix > localpostfix.te,
> comp[iled it using
>
> checkmodule -M -m -o localpostfix.mod localpostfix.te
> semodule_package -o localpostfix.pp -m localpostfix.mod

Easier way to do that is:
audit2allow -M localpostfix
That creates the .te file, runs it through checkmodule, and runs it
through semodule_package, leaving you with the .pp file.

> but when I try to load it using "semodule -i localpostfix.pp",
> the semodule command hangs for several minutes, eating almost 100 % CPU.
> After that, it fails with
>
> libsemanage.dbase_llist_query: could not query record value (No such file or directory).
>
> Tried with both "setenforce 0" and "setenforce 1". How can I fix it?
> Thanks,

Hmmm...that's interesting. Usually that means you are missing a config
file in the policy store. Are you starting from the stock Fedora policy
or your own custom policy? Also, did it actually fail or just issue
that warning and proceed?

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 03:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org