Postfix avcs (Re: Enabling SELinux on a custom kernel)

Stephen Smalley sds at tycho.nsa.gov
Tue Jul 8 13:23:48 UTC 2008 

On Tue, 2008-07-08 at 15:17 +0200, Jan Kasprzak wrote:
> Stephen Smalley wrote:
> : Your options would seem to be:
> : - use an initrd (easiest),
> 
> 	OK, I did the above. Thanks!
> 
> 	Now I have problems running Postfix - sample avcs are the
> following:
> 
> type=1400 audit(1215522639.630:102): avc:  denied  { sys_chroot } for  pid=7367 comm="cleanup" capability=18 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=capability
> type=1400 audit(1215522639.766:103): avc:  denied  { sys_chroot } for  pid=7369 comm="trivial-rewrite" capability=18 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability
> type=1400 audit(1215522640.693:104): avc:  denied  { sys_chroot } for  pid=7370 comm="smtp" capability=18 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=capability
> type=1400 audit(1215522640.760:105): avc:  denied  { sys_chroot } for  pid=7371 comm="bounce" capability=18 scontext=system_u:system_r:postfix_bounce_t:s0 tcontext=system_u:system_r:postfix_bounce_t:s0 tclass=capability
> 
> 	I have ran it through audit2allow -m localpostfix > localpostfix.te,
> comp[iled it using
> 
> checkmodule -M -m -o localpostfix.mod localpostfix.te
> semodule_package -o localpostfix.pp -m localpostfix.mod

Easier way to do that is:
audit2allow -M localpostfix
That creates the .te file, runs it through checkmodule, and runs it
through semodule_package, leaving you with the .pp file.

> but when I try to load it using "semodule -i localpostfix.pp",
> the semodule command hangs for several minutes, eating almost 100 % CPU.
> After that, it fails with
> 
> libsemanage.dbase_llist_query: could not query record value (No such file or directory).
> 
> Tried with both "setenforce 0" and "setenforce 1". How can I fix it?
> Thanks,

Hmmm...that's interesting.  Usually that means you are missing a config
file in the policy store.  Are you starting from the stock Fedora policy
or your own custom policy?  Also, did it actually fail or just issue
that warning and proceed?

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list