People running Postfix in FC5 not running Selinux?

Daniel J Walsh dwalsh at redhat.com
Tue Oct 3 20:33:34 UTC 2006 

Stephen John Smoogen wrote:
> On 9/29/06, Stephen John Smoogen <smooge at gmail.com> wrote:
>> I installed a system from the original FC5 disks and updated to latest
>> versions in yum repos. I changed over to postfix and found that it
>> wasnt working for some reason.. no errros to /var/log/messages or
>> /var/log/secure.. and I completely forgot for a day to look at audit.
>>
>
> That has to be the worst subject I could have come up with. Probably
> not enough sleep.
>
> ...
>> postfix was able to start email but could not do a mailq
>> doing a mailq showed me things like
>>
>> allow postfix_local_t initrc_var_run_t:file { read write };
>> allow postfix_showq_t initrc_var_run_t:file { read write };
>>
>> type=AVC msg=audit(1159574724.622:397): avc:  denied  { read write }
>> for  pid=2621 comm="local" name="unix.local" dev=dm-3 ino=163870
>> scontext=system_u:system_r:postfix_local_t:s0
>> tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file
>>         Was caused by:
>>                 Missing or disabled TE allow rule.
>>                 Allow rules may exist but be disabled by boolean
>> settings; check boolean settings.
>>                 You can see the necessary allow rules by running
>> audit2allow with this audit message as input.
>>
>> type=AVC msg=audit(1159574753.636:398): avc:  denied  { read write }
>> for  pid=2625 comm="showq" name="unix.showq" dev=dm-3 ino=163871
>> scontext=system_u:system_r:postfix_showq_t:s0
>> tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file
>>         Was caused by:
>>                 Missing or disabled TE allow rule.
>>                 Allow rules may exist but be disabled by boolean
>> settings; check boolean settings.
>>                 You can see the necessary allow rules by running
>> audit2allow with this audit message as input.
>>
>>
>> Not sure what I should do next. Turning off the selinux
>> selinux-policy-targeted-2.3.7-2.fc5
>> selinux-policy-2.3.7-2.fc5
>>
>
This looks like a labeing problem.   Which directory are  unix.showq and 
unix.local in?

Labeled initrc_var_run_t means they were created in an init script and 
SELinux policy is denying
access to these files.

More information about the fedora-selinux-list mailing list