update from fc3 -> fc4: cyrus/sasl-errors

Roger Grosswiler roger at gwch.net
Mon Aug 1 09:53:42 UTC 2005 

Harry Hoffman wrote:
> It's a problem with the policy not with a relabel.
> 
> audit2allow <insert /var/log/auditd/auditd.log>
> 
> will give you a policy statement to work with...
> 
> 
> HTH,
> Harry
> 
> 
> 
> On Sun, 31 Jul 2005, Bobby Kashani wrote:
> 
> 
>>On Sun, 2005-07-31 at 15:22 +0200, Roger Grosswiler wrote:
>>
>>>hi,
>>>
>>>i recently updated from fc3 to fc4. i use this machine as a mailserver
>>>with cyrus. 1st problem was the database - fixed issue. now, on
>>>authentication, i get errors, will say, with selinux enforcing i cannot
>>>authenticate at all.
>>>
>>>from the fc-list i got some help, with a few commands, that should help
>>>better understanding. What can i do, to have this box with selinux
>>>enforcing enabled? ah, yes, in permissive mode it works fine.
>>
>>Have you tried doing a "touch /.autorelabel" and rebooting?
>>
>>Bob
>>
>>
>>>here a sniplet of my logs:
>>>
>>>>[root at link ~]# ausearch -i -a 9657218
>>>>----
>>>>type=PATH msg=audit(07/30/05 16:21:20.281:9657218) : item=0 flags=follow inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
>>>>type=SOCKETCALL msg=audit(07/30/05 16:21:20.281:9657218) : nargs=3 a0=b a1=bfd308fa a2=6e
>>>>type=SOCKADDR msg=audit(07/30/05 16:21:20.281:9657218) : saddr=local /var/run/saslauthd/mux
>>>>type=SYSCALL msg=audit(07/30/05 16:21:20.281:9657218) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd
>>>>type=AVC msg=audit(07/30/05 16:21:20.281:9657218) : avc:  denied  { search } for  pid=28898 comm=imapd name=saslauthd dev=dm-0 ino=262199 scontext=root:system_r:cyrus_t tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
>>>>
>>>>
>>>>>ausearch -i -a 9659874
>>>>>
>>>>>
>>>>
>>>>[root at link ~]# ausearch -i -a 9659874
>>>>----
>>>>type=PATH msg=audit(07/30/05 16:21:24.635:9659874) : item=0 flags=follow inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
>>>>type=SOCKETCALL msg=audit(07/30/05 16:21:24.635:9659874) : nargs=3 a0=b a1=bfd308fa a2=6e
>>>>type=SOCKADDR msg=audit(07/30/05 16:21:24.635:9659874) : saddr=local /var/run/saslauthd/mux
>>>>type=SYSCALL msg=audit(07/30/05 16:21:24.635:9659874) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd
>>>>type=AVC msg=audit(07/30/05 16:21:24.635:9659874) : avc:  denied  { search } for  pid=28898 comm=imapd name=saslauthd dev=dm-0 ino=262199 scontext=root:system_r:cyrus_t tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir
>>>
>>>
>>>i hope, you can help.
>>>
>>>Thanks a lot
>>>Roger
>>>
>>>
>>>--
>>>fedora-selinux-list mailing list
>>>fedora-selinux-list at redhat.com
>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>--
>>Bobby Kashani
>>http://www.ocf.berkeley.edu/~bobk/garnome
>>
>>--
>>fedora-selinux-list mailing list
>>fedora-selinux-list at redhat.com
>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list

ok, in /var/log/audit, i did audit2allow -i audit.log and got:

[root at link audit]# audit2allow -i audit.log
allow apmd_t named_conf_t:dir { getattr search };
allow apmd_t named_zone_t:dir { getattr search };
allow apmd_t user_home_dir_t:dir getattr;
allow apmd_t var_lib_t:dir getattr;
allow cyrus_t initrc_t:unix_stream_socket connectto;
allow cyrus_t saslauthd_var_run_t:dir search;
allow cyrus_t saslauthd_var_run_t:sock_file write;
allow ftpd_t selinux_config_t:file { getattr read };
allow mysqld_t initrc_t:fd use;
allow mysqld_t initrc_t:process sigchld;
allow saslauthd_t initrc_t:unix_stream_socket connectto;
allow saslauthd_t mysqld_db_t:dir search;
allow saslauthd_t mysqld_db_t:sock_file write;
allow saslauthd_t selinux_config_t:dir search;
allow saslauthd_t selinux_config_t:file { getattr read };
allow saslauthd_t var_lib_t:dir search;


what am i gonna do with this? just fixfiles relabel? or do i have to 
insert them somehow? sorry for keeping you busy...

Roger

More information about the fedora-selinux-list mailing list