David McGuffey
2012-Apr-30 02:53 UTC
[CentOS] SELinux is preventing /usr/libexec/postfix/pickup from module_request
Getting module_request errors from SELinux. Errors being thrown by
metacity
sendmail.postfix
cleanup
trivial-rewarite
local
postdrop
pickup
All errors are essentially the same
System was working well until I began to apply some basic security
hardening configuration.
Postfix started complaining when I made /tmp noexec, nodev, nosuid, and
then did a mount --bind of /var/tmp under /tmp.
Backed that out the remount of /var/tmp and those errors went away. But
then these errors started showing up.
Here is an example of a postfix pickup error. What is going on? I could
allow the module to load, but I want to understand what is going on and
the dangers of making the mod before I do it.
SELinux is preventing /usr/libexec/postfix/pickup from module_request
access on the system Unknown.
***** Plugin catchall_boolean (89.3 confidence) suggests
*******************
If you want to allow all domains to have the kernel load modules
Then you must tell SELinux about this by enabling the
'domain_kernel_load_modules' boolean.
Do
setsebool -P domain_kernel_load_modules 1
***** Plugin catchall (11.6 confidence) suggests
***************************
If you believe that pickup should be allowed module_request access on
the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pickup /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:postfix_pickup_t:s0
Target Context system_u:system_r:kernel_t:s0
Target Objects Unknown [ system ]
Source pickup
Source Path /usr/libexec/postfix/pickup
Port <Unknown>
Host desk.localdomain
Source RPM Packages postfix-2.6.6-2.2.el6_1
Target RPM Packages
Policy RPM selinux-policy-3.7.19-126.el6_2.10
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name desk.localdomain
Platform Linux desk.localdomain
2.6.32-220.13.1.el6.x86_64
#1 SMP Tue Apr 17 23:56:34 BST 2012 x86_64
x86_64
Alert Count 24
First Seen Fri 27 Apr 2012 02:46:55 PM MDT
Last Seen Sun 29 Apr 2012 05:10:32 AM MDT
Local ID 4b8e5292-93f1-4e69-8bb4-4ea70bc5232e
Raw Audit Messages
type=AVC msg=audit(1335697832.612:34911): avc: denied
{ module_request } for pid=24226 comm="pickup"
kmod="net-pf-10"
scontext=system_u:system_r:postfix_pickup_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1335697832.612:34911): arch=x86_64 syscall=socket
success=no exit=EAFNOSUPPORT a0=a a1=1 a2=0 a3=7fff3ca82190 items=0
ppid=1925 pid=24226 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pickup
exe=/usr/libexec/postfix/pickup
subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
Hash: pickup,postfix_pickup_t,kernel_t,system,module_request
audit2allow
#============= postfix_pickup_t =============#!!!! This avc can be allowed using
the boolean
'domain_kernel_load_modules'
allow postfix_pickup_t kernel_t:system module_request;
audit2allow -R
#============= postfix_pickup_t =============#!!!! This avc can be allowed using
the boolean
'domain_kernel_load_modules'
allow postfix_pickup_t kernel_t:system module_request;
Daniel J Walsh
2012-Apr-30 17:15 UTC
[CentOS] SELinux is preventing /usr/libexec/postfix/pickup from module_request
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/29/2012 10:53 PM, David McGuffey wrote:> Getting module_request errors from SELinux. Errors being thrown by > metacity sendmail.postfix cleanup trivial-rewarite local postdrop pickup > > All errors are essentially the same > > System was working well until I began to apply some basic security > hardening configuration. > > Postfix started complaining when I made /tmp noexec, nodev, nosuid, and > then did a mount --bind of /var/tmp under /tmp. > > Backed that out the remount of /var/tmp and those errors went away. But > then these errors started showing up. > > Here is an example of a postfix pickup error. What is going on? I could > allow the module to load, but I want to understand what is going on and the > dangers of making the mod before I do it. > > > > SELinux is preventing /usr/libexec/postfix/pickup from module_request > access on the system Unknown. > > ***** Plugin catchall_boolean (89.3 confidence) suggests > ******************* > > If you want to allow all domains to have the kernel load modules Then you > must tell SELinux about this by enabling the 'domain_kernel_load_modules' > boolean. Do setsebool -P domain_kernel_load_modules 1 > > ***** Plugin catchall (11.6 confidence) suggests > *************************** > > If you believe that pickup should be allowed module_request access on the > Unknown system by default. Then you should report this as a bug. You can > generate a local policy module to allow this access. Do allow this access > for now by executing: # grep pickup /var/log/audit/audit.log | audit2allow > -M mypol # semodule -i mypol.pp > > Additional Information: Source Context > system_u:system_r:postfix_pickup_t:s0 Target Context > system_u:system_r:kernel_t:s0 Target Objects Unknown [ > system ] Source pickup Source Path > /usr/libexec/postfix/pickup Port <Unknown> Host > desk.localdomain Source RPM Packages postfix-2.6.6-2.2.el6_1 > Target RPM Packages Policy RPM > selinux-policy-3.7.19-126.el6_2.10 Selinux Enabled True > Policy Type targeted Enforcing Mode > Enforcing Host Name desk.localdomain Platform > Linux desk.localdomain 2.6.32-220.13.1.el6.x86_64 #1 SMP Tue Apr 17 > 23:56:34 BST 2012 x86_64 x86_64 Alert Count 24 First Seen > Fri 27 Apr 2012 02:46:55 PM MDT Last Seen Sun 29 Apr > 2012 05:10:32 AM MDT Local ID > 4b8e5292-93f1-4e69-8bb4-4ea70bc5232e > > Raw Audit Messages type=AVC msg=audit(1335697832.612:34911): avc: denied { > module_request } for pid=24226 comm="pickup" kmod="net-pf-10" > scontext=system_u:system_r:postfix_pickup_t:s0 > tcontext=system_u:system_r:kernel_t:s0 tclass=system > > > type=SYSCALL msg=audit(1335697832.612:34911): arch=x86_64 syscall=socket > success=no exit=EAFNOSUPPORT a0=a a1=1 a2=0 a3=7fff3ca82190 items=0 > ppid=1925 pid=24226 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pickup > exe=/usr/libexec/postfix/pickup subj=system_u:system_r:postfix_pickup_t:s0 > key=(null) > > Hash: pickup,postfix_pickup_t,kernel_t,system,module_request > > audit2allow > > #============= postfix_pickup_t ============== #!!!! This avc can be > allowed using the boolean 'domain_kernel_load_modules' > > allow postfix_pickup_t kernel_t:system module_request; > > audit2allow -R > > #============= postfix_pickup_t ============== #!!!! This avc can be > allowed using the boolean 'domain_kernel_load_modules' > > allow postfix_pickup_t kernel_t:system module_request; > > > _______________________________________________ CentOS mailing list > CentOS at centos.org http://lists.centos.org/mailman/listinfo/centosThese are caused because you disabled IPV6. http://danwalsh.livejournal.com/47118.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+eyMcACgkQrlYvE4MpobP3dACggHFgCjuCy4L47E9uEVfzKDFb bicAnjpYnYRhyEsskloHBPw6jhQ2SbYy =udKB -----END PGP SIGNATURE-----