Postfix avcs (Re: Enabling SELinux on a custom kernel)
Jan Kasprzak
kas at fi.muni.cz
Tue Jul 8 13:48:07 UTC 2008
Stephen Smalley wrote:
: Easier way to do that is:
: audit2allow -M localpostfix
: That creates the .te file, runs it through checkmodule, and runs it
: through semodule_package, leaving you with the .pp file.
OK, thanks.
: > but when I try to load it using "semodule -i localpostfix.pp",
: > the semodule command hangs for several minutes, eating almost 100 % CPU.
: > After that, it fails with
: >
: > libsemanage.dbase_llist_query: could not query record value (No such file or directory).
:
: Hmmm...that's interesting. Usually that means you are missing a config
: file in the policy store. Are you starting from the stock Fedora policy
: or your own custom policy? Also, did it actually fail or just issue
: that warning and proceed?
Well, this system has been running for several years and upgraded
through several Fedora releases (altough SELinux has never been in use there).
Now I have decided to enable SELinux (together with an upgrade to F9),
so I have installed Fedora (or Fedora updates) packages of SELinux tools,
targeted policy, etc. So yes, the starting point was the stock F9 setup,
but I cannot say it is a fresh F9 install.
Running find /etc/selinux -print on that system and on
just installed and updated F9 system leads to this diff:
diff /tmp/list.upgraded /tmp/list.fresh
70d69
< /etc/selinux/targeted/modules/active/modules/localpostfix.pp
115a115
> /etc/selinux/targeted/modules/active/seusers
117a118,119
> /etc/selinux/targeted/modules/active/users_extra.local
> /etc/selinux/targeted/modules/active/users.local
120,207d121
< /etc/selinux/targeted/modules/tmp
< /etc/selinux/targeted/modules/tmp/base.pp
< /etc/selinux/targeted/modules/tmp/commit_num
[... and lot other files in .../tmp, because semodule -i localpostfix.pp
has been running at that time ...]
Semodule -i does not fail per se - it returns 0 to the shell.
However, Postfix still does not work, and AVCs similar to the original ones
are still logged into the audit.log.
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<
More information about the fedora-selinux-list
mailing list