People running Postfix in FC5 not running Selinux?
Daniel J Walsh
dwalsh at redhat.com
Tue Oct 3 20:33:34 UTC 2006
Stephen John Smoogen wrote:
> On 9/29/06, Stephen John Smoogen <smooge at gmail.com> wrote:
>> I installed a system from the original FC5 disks and updated to latest
>> versions in yum repos. I changed over to postfix and found that it
>> wasnt working for some reason.. no errros to /var/log/messages or
>> /var/log/secure.. and I completely forgot for a day to look at audit.
>>
>
> That has to be the worst subject I could have come up with. Probably
> not enough sleep.
>
> ...
>> postfix was able to start email but could not do a mailq
>> doing a mailq showed me things like
>>
>> allow postfix_local_t initrc_var_run_t:file { read write };
>> allow postfix_showq_t initrc_var_run_t:file { read write };
>>
>> type=AVC msg=audit(1159574724.622:397): avc: denied { read write }
>> for pid=2621 comm="local" name="unix.local" dev=dm-3 ino=163870
>> scontext=system_u:system_r:postfix_local_t:s0
>> tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file
>> Was caused by:
>> Missing or disabled TE allow rule.
>> Allow rules may exist but be disabled by boolean
>> settings; check boolean settings.
>> You can see the necessary allow rules by running
>> audit2allow with this audit message as input.
>>
>> type=AVC msg=audit(1159574753.636:398): avc: denied { read write }
>> for pid=2625 comm="showq" name="unix.showq" dev=dm-3 ino=163871
>> scontext=system_u:system_r:postfix_showq_t:s0
>> tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file
>> Was caused by:
>> Missing or disabled TE allow rule.
>> Allow rules may exist but be disabled by boolean
>> settings; check boolean settings.
>> You can see the necessary allow rules by running
>> audit2allow with this audit message as input.
>>
>>
>> Not sure what I should do next. Turning off the selinux
>> selinux-policy-targeted-2.3.7-2.fc5
>> selinux-policy-2.3.7-2.fc5
>>
>
This looks like a labeing problem. Which directory are unix.showq and
unix.local in?
Labeled initrc_var_run_t means they were created in an init script and
SELinux policy is denying
access to these files.
More information about the fedora-selinux-list
mailing list