Postfix avcs (Re: Enabling SELinux on a custom kernel)
Jan Kasprzak
kas at fi.muni.cz
Tue Jul 8 13:17:45 UTC 2008
Stephen Smalley wrote:
: Your options would seem to be:
: - use an initrd (easiest),
OK, I did the above. Thanks!
Now I have problems running Postfix - sample avcs are the
following:
type=1400 audit(1215522639.630:102): avc: denied { sys_chroot } for pid=7367 comm="cleanup" capability=18 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=capability
type=1400 audit(1215522639.766:103): avc: denied { sys_chroot } for pid=7369 comm="trivial-rewrite" capability=18 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability
type=1400 audit(1215522640.693:104): avc: denied { sys_chroot } for pid=7370 comm="smtp" capability=18 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=capability
type=1400 audit(1215522640.760:105): avc: denied { sys_chroot } for pid=7371 comm="bounce" capability=18 scontext=system_u:system_r:postfix_bounce_t:s0 tcontext=system_u:system_r:postfix_bounce_t:s0 tclass=capability
I have ran it through audit2allow -m localpostfix > localpostfix.te,
comp[iled it using
checkmodule -M -m -o localpostfix.mod localpostfix.te
semodule_package -o localpostfix.pp -m localpostfix.mod
but when I try to load it using "semodule -i localpostfix.pp",
the semodule command hangs for several minutes, eating almost 100 % CPU.
After that, it fails with
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
Tried with both "setenforce 0" and "setenforce 1". How can I fix it?
Thanks,
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<
More information about the fedora-selinux-list
mailing list