FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-28-2011, 10:03 PM
Edward Ned Harvey
 
Default selinux denial not appearing in logs

How can this happen?* It's getting denied, but not appearing in either the audit log or the messages file.* Running Centos 6 fully updated, php (drupal) inside of httpd tries to send mail via postfix (postdrop).*
*
When I have setenforce 0, the mail goes through.* No errors in any logs (audit.log, error_log, messages)
When I have setenforce 1, the mail gets blocked.* I get this message in httpd error_log:
*************** sendmail: fatal: execvp /usr/sbin/postdrop: Permission denied
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 1
sendmail: fatal: email@example.com(48): unable to execute /usr/sbin/postdrop -r: Success
*
I have auditd running.* In fact, I regularly use audit2allow to create allow policies on this machine.* So I can confidently say normally my selinux denials get logged in the audit.log.* I am at a loss to think of any reason this particular failure is not getting logged the same way my other error messages usually get logged.
*
I believe I can write a custom allow script by hand, but I believe I probably shouldn't, or if I try, it will fail for some reason.*
*
Thanks for your help...
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-28-2011, 10:04 PM
Edward Ned Harvey
 
Default selinux denial not appearing in logs

How can this happen?* It's getting denied, but not appearing in either the audit log or the messages file.* Running Centos 6 fully updated, php (drupal) inside of httpd tries to send mail via postfix (postdrop).*
*
When I have setenforce 0, the mail goes through.* No errors in any logs (audit.log, error_log, messages)
When I have setenforce 1, the mail gets blocked.* I get this message in httpd error_log:
*************** sendmail: fatal: execvp /usr/sbin/postdrop: Permission denied
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 1
sendmail: fatal: email@example.com(48): unable to execute /usr/sbin/postdrop -r: Success
*
I have auditd running.* In fact, I regularly use audit2allow to create allow policies on this machine.* So I can confidently say normally my selinux denials get logged in the audit.log.* I am at a loss to think of any reason this particular failure is not getting logged the same way my other error messages usually get logged.
*
I believe I can write a custom allow script by hand, but I believe I probably shouldn't, or if I try, it will fail for some reason.*
*
Thanks for your help...
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-28-2011, 11:15 PM
Paul Howarth
 
Default selinux denial not appearing in logs

On Wed, 28 Dec 2011 18:04:30 -0500
Edward Ned Harvey <selinuxadmin@clevertrove.com> wrote:

> How can this happen? It's getting denied, but not appearing in
> either the audit log or the messages file. Running Centos 6 fully
> updated, php (drupal) inside of httpd tries to send mail via postfix
> (postdrop).
>
>
>
> When I have setenforce 0, the mail goes through. No errors in any
> logs (audit.log, error_log, messages)
>
> When I have setenforce 1, the mail gets blocked. I get this message
> in httpd error_log:
>
> sendmail: fatal: execvp /usr/sbin/postdrop: Permission
> denied
>
> sendmail: warning: command "/usr/sbin/postdrop -r" exited with status
> 1
>
> sendmail: fatal: email@example.com(48): unable to
> execute /usr/sbin/postdrop -r: Success
>
>
>
> I have auditd running. In fact, I regularly use audit2allow to
> create allow policies on this machine. So I can confidently say
> normally my selinux denials get logged in the audit.log. I am at a
> loss to think of any reason this particular failure is not getting
> logged the same way my other error messages usually get logged.
>
>
>
> I believe I can write a custom allow script by hand, but I believe I
> probably shouldn't, or if I try, it will fail for some reason.
>
>
>
> Thanks for your help...

The denials you're getting are probably being dontaudit-ed. See:

http://danwalsh.livejournal.com/11673.html

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-29-2011, 05:26 AM
Adam Przybyla
 
Default selinux denial not appearing in logs

On Thu, Dec 29, 2011 at 12:15:46AM +0000, Paul Howarth wrote:
> On Wed, 28 Dec 2011 18:04:30 -0500
> Edward Ned Harvey <selinuxadmin@clevertrove.com> wrote:
>
> > How can this happen? It's getting denied, but not appearing in
> > either the audit log or the messages file. Running Centos 6 fully
> > updated, php (drupal) inside of httpd tries to send mail via postfix
> > (postdrop).
> >
> >
> >
> > When I have setenforce 0, the mail goes through. No errors in any
> > logs (audit.log, error_log, messages)
> >
> > When I have setenforce 1, the mail gets blocked. I get this message
> > in httpd error_log:
> >
> > sendmail: fatal: execvp /usr/sbin/postdrop: Permission
> > denied
> >
> > sendmail: warning: command "/usr/sbin/postdrop -r" exited with status
> > 1
> >
> > sendmail: fatal: email@example.com(48): unable to
> > execute /usr/sbin/postdrop -r: Success
> >
> >
> >
> > I have auditd running. In fact, I regularly use audit2allow to
> > create allow policies on this machine. So I can confidently say
> > normally my selinux denials get logged in the audit.log. I am at a
> > loss to think of any reason this particular failure is not getting
> > logged the same way my other error messages usually get logged.
> >
> >
> >
> > I believe I can write a custom allow script by hand, but I believe I
> > probably shouldn't, or if I try, it will fail for some reason.
> >
> >
> >
> > Thanks for your help...
>
> The denials you're getting are probably being dontaudit-ed. See:
>
> http://danwalsh.livejournal.com/11673.html
... try to find a selinux errors:
grep -i err /var/log/audit/audit.log
or switch noaudit off:
semodule -BD
Regards
Adam Przybyla
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-30-2011, 02:14 PM
Edward Ned Harvey
 
Default selinux denial not appearing in logs

> From: selinux-bounces@lists.fedoraproject.org [mailto:selinux-
> bounces@lists.fedoraproject.org] On Behalf Of Paul Howarth
>
> The denials you're getting are probably being dontaudit-ed. See:
>
> http://danwalsh.livejournal.com/11673.html

Perfect. Awesome. Thank you. :-)

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-02-2012, 11:59 AM
Miroslav Grepl
 
Default selinux denial not appearing in logs

On 12/30/2011 03:14 PM, Edward Ned Harvey wrote:

From: selinux-bounces@lists.fedoraproject.org [mailto:selinux-
bounces@lists.fedoraproject.org] On Behalf Of Paul Howarth

The denials you're getting are probably being dontaudit-ed. See:

http://danwalsh.livejournal.com/11673.html

Perfect. Awesome. Thank you. :-)

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

What AVC msgs are you getting?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-02-2012, 02:15 PM
Edward Ned Harvey
 
Default selinux denial not appearing in logs

> From: Miroslav Grepl [mailto:mgrepl@redhat.com]
> Sent: Monday, January 02, 2012 7:59 AM
>
> On 12/30/2011 03:14 PM, Edward Ned Harvey wrote:
> >> From: selinux-bounces@lists.fedoraproject.org [mailto:selinux-
> >> bounces@lists.fedoraproject.org] On Behalf Of Paul Howarth
> >>
> >> The denials you're getting are probably being dontaudit-ed. See:
> >>
> >> http://danwalsh.livejournal.com/11673.html
> > Perfect. Awesome. Thank you. :-)
> >
> What AVC msgs are you getting?

I was getting none. But thanks to the suggestion about dontaudit, it's problem solved now.

Thank you.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:04 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org