Postfix avcs (Re: Enabling SELinux on a custom kernel)

Jan Kasprzak kas at fi.muni.cz
Tue Jul 8 13:17:45 UTC 2008 

Stephen Smalley wrote:
: Your options would seem to be:
: - use an initrd (easiest),

	OK, I did the above. Thanks!

	Now I have problems running Postfix - sample avcs are the
following:

type=1400 audit(1215522639.630:102): avc:  denied  { sys_chroot } for  pid=7367 comm="cleanup" capability=18 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=capability
type=1400 audit(1215522639.766:103): avc:  denied  { sys_chroot } for  pid=7369 comm="trivial-rewrite" capability=18 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability
type=1400 audit(1215522640.693:104): avc:  denied  { sys_chroot } for  pid=7370 comm="smtp" capability=18 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=capability
type=1400 audit(1215522640.760:105): avc:  denied  { sys_chroot } for  pid=7371 comm="bounce" capability=18 scontext=system_u:system_r:postfix_bounce_t:s0 tcontext=system_u:system_r:postfix_bounce_t:s0 tclass=capability

	I have ran it through audit2allow -m localpostfix > localpostfix.te,
comp[iled it using

checkmodule -M -m -o localpostfix.mod localpostfix.te
semodule_package -o localpostfix.pp -m localpostfix.mod

but when I try to load it using "semodule -i localpostfix.pp",
the semodule command hangs for several minutes, eating almost 100 % CPU.
After that, it fails with

libsemanage.dbase_llist_query: could not query record value (No such file or directory).

Tried with both "setenforce 0" and "setenforce 1". How can I fix it?
Thanks,

-Yenya

-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/    Journal: http://www.fi.muni.cz/~kas/blog/ |
>>  If you find yourself arguing with Alan Cox, you’re _probably_ wrong.  <<
>>     --James Morris in "How and Why You Should Become a Kernel Hacker"  <<

More information about the fedora-selinux-list mailing list