FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-29-2009, 04:56 AM
Roland Roberts
 
Default SELinux won't let dovecot connect to postgresql

Roland Roberts wrote:

Thomas Harold wrote:
You could try uninstalling and then reinstalling the setroubleshoot
package. Specifically "setroubleshoot-server" package contains the
daemon and init.d file and only depends on the -plugins package.


Oo-oo. I just discovered something *very* interesting. When I first
set up this host, I set it up in parallel with the existing host it was
replacing and it had a different host name. I find, in
/var/lib/setroubleshoot/audit_listener_database.xml, the old host name.
Perhaps that's why I'm not getting my messages. I'm going to try
correcting the host name there. I'm not sure if I *need* to reboot, but
I'm not sure what processes will need to be restarted if I don't.


roland

--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@rlenter.com 6818 Madeline Court
roland@astrofoto.org Brooklyn, NY 11220

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-29-2009, 05:05 AM
Roland Roberts
 
Default SELinux won't let dovecot connect to postgresql

Roland Roberts wrote:

Roland Roberts wrote:

Thomas Harold wrote:
You could try uninstalling and then reinstalling the setroubleshoot
package. Specifically "setroubleshoot-server" package contains the
daemon and init.d file and only depends on the -plugins package.


Oo-oo. I just discovered something *very* interesting. When I first
set up this host, I set it up in parallel with the existing host it
was replacing and it had a different host name. I find, in
/var/lib/setroubleshoot/audit_listener_database.xml, the old host
name. Perhaps that's why I'm not getting my messages. I'm going to
try correcting the host name there. I'm not sure if I *need* to
reboot, but I'm not sure what processes will need to be restarted if I
don't.


Well, that by itself is not sufficient. But perhaps these two lines in
syslog are a clue if only I could decipher them:


dbus: avc: received setenforce notice (enforcing=0)
tycho dbus: Can't send to audit system: USER_AVC avc: received
setenforce notice (enforcing=0)#012: exe="?" (sauid=81, hostname=?,
addr=?, terminal=?)


roland

--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@rlenter.com 6818 Madeline Court
roland@astrofoto.org Brooklyn, NY 11220

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-29-2009, 05:07 AM
Thomas Harold
 
Default SELinux won't let dovecot connect to postgresql

On 11/29/2009 12:49 AM, Roland Roberts wrote:

Thomas Harold wrote:

You could try uninstalling and then reinstalling the setroubleshoot
package. Specifically "setroubleshoot-server" package contains the
daemon and init.d file and only depends on the -plugins package.


But it doesn't seem to include the init.d file, or is rpm -qil not
telling me what I think it is telling me:

572 root> rpm -qil setroubleshoot-server | grep /etc
/etc/audisp/plugins.d/sedispatch.conf
/etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf
/etc/logrotate.d/setroubleshoot
/etc/setroubleshoot
/etc/setroubleshoot/setroubleshoot.cfg



Not sure, that's sounding more like a Fedora issue then an SELinux issue
(and I'm not running Fedora, I'm running RHEL/CentOS). But a bit of
google-fu turned up:


http://osdir.com/ml/fedora-selinux/2009-06/msg00053.html

(the linked message was posted by Daniel J Walsh)

Basically, they've restructured things back in June 2009. So you'll
probably have to go digging in the audit.log file for the AVC messages.


# grep "AVC" /var/log/audit/audit.log

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-29-2009, 05:11 AM
Roland Roberts
 
Default SELinux won't let dovecot connect to postgresql

Thomas Harold wrote:

On 11/29/2009 12:49 AM, Roland Roberts wrote:

But it doesn't seem to include the init.d file, or is rpm -qil not
telling me what I think it is telling me:

572 root> rpm -qil setroubleshoot-server | grep /etc
/etc/audisp/plugins.d/sedispatch.conf
/etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf
/etc/logrotate.d/setroubleshoot
/etc/setroubleshoot
/etc/setroubleshoot/setroubleshoot.cfg



Not sure, that's sounding more like a Fedora issue then an SELinux
issue (and I'm not running Fedora, I'm running RHEL/CentOS). But a
bit of google-fu turned up:


http://osdir.com/ml/fedora-selinux/2009-06/msg00053.html

(the linked message was posted by Daniel J Walsh)

Basically, they've restructured things back in June 2009. So you'll
probably have to go digging in the audit.log file for the AVC messages.


# grep "AVC" /var/log/audit/audit.log


Thanks. Maybe I'll file a report with bugzilla. Not sure that my
missing messages are a bug, but there is nothing in
/var/log/audit/audit.log with "avc". In any event, it's past my bedtime
here for today


g'nite.

roland

--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@rlenter.com 6818 Madeline Court
roland@astrofoto.org Brooklyn, NY 11220

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-29-2009, 05:35 AM
"Justin P. Mattock"
 
Default SELinux won't let dovecot connect to postgresql

On 11/28/09 22:05, Roland Roberts wrote:

Roland Roberts wrote:

Roland Roberts wrote:

Thomas Harold wrote:

You could try uninstalling and then reinstalling the setroubleshoot
package. Specifically "setroubleshoot-server" package contains the
daemon and init.d file and only depends on the -plugins package.


Oo-oo. I just discovered something *very* interesting. When I first
set up this host, I set it up in parallel with the existing host it
was replacing and it had a different host name. I find, in
/var/lib/setroubleshoot/audit_listener_database.xml, the old host
name. Perhaps that's why I'm not getting my messages. I'm going to try
correcting the host name there. I'm not sure if I *need* to reboot,
but I'm not sure what processes will need to be restarted if I don't.


Well, that by itself is not sufficient. But perhaps these two lines in
syslog are a clue if only I could decipher them:

dbus: avc: received setenforce notice (enforcing=0)
tycho dbus: Can't send to audit system: USER_AVC avc: received
setenforce notice (enforcing=0)#012: exe="?" (sauid=81, hostname=?,
addr=?, terminal=?)

roland


why is dbus sending a setenforce=0 call?

Justin P. Mattock

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-29-2009, 09:11 AM
Sandro Janke
 
Default SELinux won't let dovecot connect to postgresql

On 11/29/2009 06:29 AM, Roland Roberts wrote:

Thomas Harold wrote:

I think that you have to have the setroubleshoot service running in
order to get SELinux errors in /var/log/messages.

https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20User%20FAQ


Hmmm, I seem to have both setroubleshoot and setroubleshoot-server
packages installed, but much of that package talks about turning on the
setroubleshoot service; the file for that should be in
/etc/rc.d/init.d/setroubleshoot, but I have no such file. Both packages
verify as correct (rpm -V) and rpm -qil does not show any such file in
the inventory. There is a file /usr/sbin/setroubleshootd which is what I
would expect for the daemon, but no file in /etc/rc.d/init.d references
it. Odd. And if I try to manually launch it, it runs briefly, leaves a
zero-length log file in /var/log/setroubleshoot/setroubleshootd.log.

Note that I am *not* on a X11 desktop on this host. It is a server, and
while it has X installed, it is in run level 3.


Actually, you don't need to have any of the setroubleshoot packages
installed to get AVC messages logged. What you need is auditd running
and it will log AVC messages to /var/log/audit/audit.log


With setroubleshoot-server installed you can watch the logged messages
using:


# sealert -a /var/log/audit/audit.log

The output will be long and in the style of setroubleshoot browser, so
take your measures.


Another tool - from the audit package - that can prove very useful is
ausearch. It will search the audit logs for messages matching the given
criteria.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-29-2009, 09:18 AM
"Justin P. Mattock"
 
Default SELinux won't let dovecot connect to postgresql

On 11/29/09 02:11, Sandro Janke wrote:

On 11/29/2009 06:29 AM, Roland Roberts wrote:

Thomas Harold wrote:

I think that you have to have the setroubleshoot service running in
order to get SELinux errors in /var/log/messages.

https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20User%20FAQ


Hmmm, I seem to have both setroubleshoot and setroubleshoot-server
packages installed, but much of that package talks about turning on the
setroubleshoot service; the file for that should be in
/etc/rc.d/init.d/setroubleshoot, but I have no such file. Both packages
verify as correct (rpm -V) and rpm -qil does not show any such file in
the inventory. There is a file /usr/sbin/setroubleshootd which is what I
would expect for the daemon, but no file in /etc/rc.d/init.d references
it. Odd. And if I try to manually launch it, it runs briefly, leaves a
zero-length log file in /var/log/setroubleshoot/setroubleshootd.log.

Note that I am *not* on a X11 desktop on this host. It is a server, and
while it has X installed, it is in run level 3.


Actually, you don't need to have any of the setroubleshoot packages
installed to get AVC messages logged. What you need is auditd running
and it will log AVC messages to /var/log/audit/audit.log

With setroubleshoot-server installed you can watch the logged messages
using:

# sealert -a /var/log/audit/audit.log

The output will be long and in the style of setroubleshoot browser, so
take your measures.

Another tool - from the audit package - that can prove very useful is
ausearch. It will search the audit logs for messages matching the given
criteria.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


agree..
In my case I normaly just do:
audit2allow -d > to_the_allow_rules
audit2allow -i /var/log/*(and the rest of
the log messages havng any left over avc's
to define into the policy);

Justin P. Mattock

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-29-2009, 09:36 AM
"Justin P. Mattock"
 
Default SELinux won't let dovecot connect to postgresql

keep in mind this is running
the latest git refpolicy and everything.
You can use these tools(setools)although normally try to
keep things as simple as possible, especially
during development(that is until things get worked out);

Justin P. Mattock

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-30-2009, 12:44 AM
Roland Roberts
 
Default SELinux won't let dovecot connect to postgresql

On 11/29/2009 05:11 AM, Sandro Janke wrote:
Actually, you don't need to have any of the setroubleshoot packages
installed to get AVC messages logged. What you need is auditd running
and it will log AVC messages to /var/log/audit/audit.log


With setroubleshoot-server installed you can watch the logged messages
using:


# sealert -a /var/log/audit/audit.log

The output will be long and in the style of setroubleshoot browser, so
take your measures.


Another tool - from the audit package - that can prove very useful is
ausearch. It will search the audit logs for messages matching the
given criteria.


But I'm not getting any messages there. And changing enforcing mode
fixes the problem, so it seems like it has to be SELinux, but with no
log, I can't figure out what rule needs to be changed.



--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@rlenter.com 6818 Madeline Court
roland@astrofoto.org Brooklyn, NY 11220

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-30-2009, 12:46 AM
Roland Roberts
 
Default SELinux won't let dovecot connect to postgresql

On 11/29/2009 05:18 AM, Justin P. Mattock wrote:

In my case I normaly just do:
audit2allow -d > to_the_allow_rules
audit2allow -i /var/log/*(and the rest of
the log messages havng any left over avc's
to define into the policy);


Guys, you're driving me crazy :-/ I can't *find* a log entry to fix.
There's nothing where it's supposed to be. So...if you agree that that
looks like a bug, I'll just go on and file a bug. Otherwise I'm really
stuck.


roland

--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@rlenter.com 6818 Madeline Court
roland@astrofoto.org Brooklyn, NY 11220

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 06:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org