FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-30-2009, 01:27 AM
Eric Paris
 
Default SELinux won't let dovecot connect to postgresql

On Sun, 2009-11-29 at 20:46 -0500, Roland Roberts wrote:
> On 11/29/2009 05:18 AM, Justin P. Mattock wrote:
> > In my case I normaly just do:
> > audit2allow -d > to_the_allow_rules
> > audit2allow -i /var/log/*(and the rest of
> > the log messages havng any left over avc's
> > to define into the policy);
>
> Guys, you're driving me crazy :-/ I can't *find* a log entry to fix.
> There's nothing where it's supposed to be. So...if you agree that that
> looks like a bug, I'll just go on and file a bug. Otherwise I'm really
> stuck.

I see that my F12 policy has a rule that allows dovecot_t to talk to
postgresql_port_t. Not certain if it is controlled by a boolean which
is toggled wrong on your system or if you are having some other problem,
so lets start by seeing the actual avc denial.

AVCs can end up either in /var/log/messages or /var/log/audit/audit.log
(depending on the system setup.) Also in permissive move denials are
only logged one time. So you won't see a denial every time it ~would~
have triggered. To flush the selinux cache I typically suggest you set
the system enforcing and back permissive quickly. So lets do these
steps.

setenforce 1
setenforce 0
reproduce problem (or what would be a problem)
grep -i avc /var/log/messages
grep -i avc /var/log/audit/audit.log

If both of those come up blank you likely are hitting a problem that is
being 'dontaudit' I believe you said F11 (if not and it is old enough
to not understand semodule -DB let me know as there are other ways to do
this on older systems)? If so do these steps

semodule -DB
setenforce 1
setenforce 0
reproduce problem (or what would be a problem)
grep -i avc /var/log/messages /var/log/audit/audit.log
semodule -B

Let us know the output this time. Hopefully we can get to the bottom of
this.

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-30-2009, 01:30 AM
"Justin P. Mattock"
 
Default SELinux won't let dovecot connect to postgresql

On 11/29/09 17:46, Roland Roberts wrote:

On 11/29/2009 05:18 AM, Justin P. Mattock wrote:

In my case I normaly just do:
audit2allow -d > to_the_allow_rules
audit2allow -i /var/log/*(and the rest of
the log messages havng any left over avc's
to define into the policy);


Guys, you're driving me crazy :-/ I can't *find* a log entry to fix.
There's nothing where it's supposed to be. So...if you agree that that
looks like a bug, I'll just go on and file a bug. Otherwise I'm really
stuck.

roland



What you might try is
in the source tree of the policy
(/usr/share/selinux/*)
do a
make clean
make enableaudit
make policy
make install
make load(reboot)
then you should be able to see some
avc's in /var/log/messages,audit.log.

keep in mind if this is the targeted policy
you might have to download the source for that policy
then(depending on binary/monolithic) build
your module for that policy(semodule) once you've
collected the extra dontaudit avc's(/var/log/*) that's probably
preventing you from going further.


Justin P. Mattock


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-30-2009, 12:05 PM
"David P. Quigley"
 
Default SELinux won't let dovecot connect to postgresql

On Sun, 2009-11-29 at 01:11 -0500, Roland Roberts wrote:
> Thomas Harold wrote:
> > On 11/29/2009 12:49 AM, Roland Roberts wrote:
> >> But it doesn't seem to include the init.d file, or is rpm -qil not
> >> telling me what I think it is telling me:
> >>
> >> 572 root> rpm -qil setroubleshoot-server | grep /etc
> >> /etc/audisp/plugins.d/sedispatch.conf
> >> /etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf
> >> /etc/logrotate.d/setroubleshoot
> >> /etc/setroubleshoot
> >> /etc/setroubleshoot/setroubleshoot.cfg
> >>
> >
> > Not sure, that's sounding more like a Fedora issue then an SELinux
> > issue (and I'm not running Fedora, I'm running RHEL/CentOS). But a
> > bit of google-fu turned up:
> >
> > http://osdir.com/ml/fedora-selinux/2009-06/msg00053.html
> >
> > (the linked message was posted by Daniel J Walsh)
> >
> > Basically, they've restructured things back in June 2009. So you'll
> > probably have to go digging in the audit.log file for the AVC messages.
> >
> > # grep "AVC" /var/log/audit/audit.log
>
> Thanks. Maybe I'll file a report with bugzilla. Not sure that my
> missing messages are a bug, but there is nothing in
> /var/log/audit/audit.log with "avc". In any event, it's past my bedtime
> here for today
>
> g'nite.
>
> roland
>

Just as a bit of advice for the future. You are better off using the
ausearch command to find denials. You can narrow it down to just AVC
denials by using ausearch -m AVC. After that you can restrict based on
time using some of the other flags for the utility.

Dave

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-02-2009, 07:22 PM
Roland Roberts
 
Default SELinux won't let dovecot connect to postgresql

On 11/29/2009 08:44 PM, Roland Roberts wrote:

On 11/29/2009 05:11 AM, Sandro Janke wrote:
Actually, you don't need to have any of the setroubleshoot packages
installed to get AVC messages logged. What you need is auditd running
and it will log AVC messages to /var/log/audit/audit.log


With setroubleshoot-server installed you can watch the logged
messages using:


# sealert -a /var/log/audit/audit.log

The output will be long and in the style of setroubleshoot browser,
so take your measures.


Another tool - from the audit package - that can prove very useful is
ausearch. It will search the audit logs for messages matching the
given criteria.


But I'm not getting any messages there. And changing enforcing mode
fixes the problem, so it seems like it has to be SELinux, but with no
log, I can't figure out what rule needs to be changed.





At the suggestion of Daniel Walsh, I ran

semodule -DB

then restarted dovecot and got my messages. I've used those to create
policy, but can't load it.


I've configured dovecot to use a local socket connection to postgres.
Here is what I for SELinux:


grep 'Dec 2.*dovecot-auth' /var/log/messages| audit2allow -m local >
local.te

328 root> cat local.te

module local 1.0;

require {
type dovecot_auth_t;
type unlabeled_t;
type postgresql_tmp_t;
class sock_file write;
class unix_stream_socket read;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t postgresql_tmp_t:sock_file write;

#============= unlabeled_t ==============
allow unlabeled_t self:unix_stream_socket read;
329 root> make -f /usr/share/selinux/devel/Makefile local.pp
Compiling targeted local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to
tmp/local.mod

Creating targeted local.pp policy package
rm tmp/local.mod.fc tmp/local.mod
330 root> semodule -i local.pp
libsepol.print_missing_requirements: local's global requirements were
not met: type/attribute dovecot_auth_t

libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!

I'm at a loss on what to do here. Suggestions on why it would tell me this?

roland

--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@rlenter.com 6818 Madeline Court
roland@astrofoto.org Brooklyn, NY 11220

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-02-2009, 07:44 PM
Bandan Das
 
Default SELinux won't let dovecot connect to postgresql

On Wed, 2009-12-02 at 15:22 -0500, Roland Roberts wrote:
> On 11/29/2009 08:44 PM, Roland Roberts wrote:
> > On 11/29/2009 05:11 AM, Sandro Janke wrote:
> >> Actually, you don't need to have any of the setroubleshoot packages
>
> >> installed to get AVC messages logged. What you need is auditd
> running
> >> and it will log AVC messages to /var/log/audit/audit.log
> >>
> >> With setroubleshoot-server installed you can watch the logged
> >> messages using:
> >>
> >> # sealert -a /var/log/audit/audit.log
> >>
> >> The output will be long and in the style of setroubleshoot browser,
>
> >> so take your measures.
> >>
> >> Another tool - from the audit package - that can prove very useful
> is
> >> ausearch. It will search the audit logs for messages matching the
> >> given criteria.
> >
> > But I'm not getting any messages there. And changing enforcing mode
>
> > fixes the problem, so it seems like it has to be SELinux, but with
> no
> > log, I can't figure out what rule needs to be changed.
> >
> >
>
> At the suggestion of Daniel Walsh, I ran
>
> semodule -DB
>
> then restarted dovecot and got my messages. I've used those to
> create
> policy, but can't load it.
>
> I've configured dovecot to use a local socket connection to postgres.
>
> Here is what I for SELinux:
>
> grep 'Dec 2.*dovecot-auth' /var/log/messages| audit2allow -m local >
> local.te
> 328 root> cat local.te
>
> module local 1.0;
>
> require {
> type dovecot_auth_t;
> type unlabeled_t;
> type postgresql_tmp_t;
> class sock_file write;
> class unix_stream_socket read;
> }
>
> #============= dovecot_auth_t ==============
> allow dovecot_auth_t postgresql_tmp_t:sock_file write;
>
> #============= unlabeled_t ==============
> allow unlabeled_t self:unix_stream_socket read;
> 329 root> make -f /usr/share/selinux/devel/Makefile local.pp
> Compiling targeted local module
> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> /usr/bin/checkmodule: policy configuration loaded
> /usr/bin/checkmodule: writing binary representation (version 10) to
> tmp/local.mod
> Creating targeted local.pp policy package
> rm tmp/local.mod.fc tmp/local.mod
> 330 root> semodule -i local.pp
> libsepol.print_missing_requirements: local's global requirements were
> not met: type/attribute dovecot_auth_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule: Failed!
>
> I'm at a loss on what to do here. Suggestions on why it would tell me
> this?
I guess dovecot_auth_t should have been defined in dovecot.te. Are you
sure you have dovecot.pp loaded ?

> roland
>


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-02-2009, 08:37 PM
Daniel J Walsh
 
Default SELinux won't let dovecot connect to postgresql

On 12/02/2009 03:22 PM, Roland Roberts wrote:
> On 11/29/2009 08:44 PM, Roland Roberts wrote:
>> On 11/29/2009 05:11 AM, Sandro Janke wrote:
>>> Actually, you don't need to have any of the setroubleshoot packages
>>> installed to get AVC messages logged. What you need is auditd running
>>> and it will log AVC messages to /var/log/audit/audit.log
>>>
>>> With setroubleshoot-server installed you can watch the logged
>>> messages using:
>>>
>>> # sealert -a /var/log/audit/audit.log
>>>
>>> The output will be long and in the style of setroubleshoot browser,
>>> so take your measures.
>>>
>>> Another tool - from the audit package - that can prove very useful is
>>> ausearch. It will search the audit logs for messages matching the
>>> given criteria.
>>
>> But I'm not getting any messages there. And changing enforcing mode
>> fixes the problem, so it seems like it has to be SELinux, but with no
>> log, I can't figure out what rule needs to be changed.
>>
>>
>
> At the suggestion of Daniel Walsh, I ran
>
> semodule -DB
>
> then restarted dovecot and got my messages. I've used those to create
> policy, but can't load it.
>
> I've configured dovecot to use a local socket connection to postgres.
> Here is what I for SELinux:
>
> grep 'Dec 2.*dovecot-auth' /var/log/messages| audit2allow -m local >
> local.te
> 328 root> cat local.te
>
> module local 1.0;
>
> require {
> type dovecot_auth_t;
> type unlabeled_t;
> type postgresql_tmp_t;
> class sock_file write;
> class unix_stream_socket read;
> }
>
> #============= dovecot_auth_t ==============
> allow dovecot_auth_t postgresql_tmp_t:sock_file write;
>
> #============= unlabeled_t ==============
> allow unlabeled_t self:unix_stream_socket read;
> 329 root> make -f /usr/share/selinux/devel/Makefile local.pp
> Compiling targeted local module
> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> /usr/bin/checkmodule: policy configuration loaded
> /usr/bin/checkmodule: writing binary representation (version 10) to
> tmp/local.mod
> Creating targeted local.pp policy package
> rm tmp/local.mod.fc tmp/local.mod
> 330 root> semodule -i local.pp
> libsepol.print_missing_requirements: local's global requirements were
> not met: type/attribute dovecot_auth_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule: Failed!
>
> I'm at a loss on what to do here. Suggestions on why it would tell me
> this?
>
> roland
>
Did you replace the dovecot.pp when you first tried this?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 02:46 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org