I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6
virtual guest:
----
time->Thu Dec 4 12:14:58 2014
type=SYSCALL msg=audit(1417713298.610:60522): arch=c000003e syscall=2
success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698
pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=2784 comm="trivial-rewrite"
exe="/usr/libexec/postfix/trivial-rewrite"
subj=unconfined_u:system_r:postfix_master_t:s0 key=(null)
type=AVC msg=audit(1417713298.610:60522): avc: denied { read } for pid=4294
comm="trivial-rewrite" name="tmp" dev=dm-0 ino=393240
scontext=unconfined_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
We are using a locally built Postfix (Postfix-2.8+ is required to support
postscreen and CentOS only provides 2.6.6)
rpm -qi postfix
Name : postfix Relocations: (not relocatable)
Version : 2.11.1 Vendor: (none)
Release : 0.el6 Build Date: Thu May 15 14:38:25 2014
Install Date: Fri Nov 28 14:57:25 2014 Build Host:
xnet242.hamilton.harte-lyne.ca
Group : System Environment/Daemons Source RPM:
postfix-2.11.1-0.el6.src.rpm
Size : 13111458 License: IBM
Signature : (none)
URL : http://www.postfix.org
Summary : Postfix Mail Transport Agent
Description :
Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),
TLS
Re: SELinux. Do I just build a local policy or is there some boolean setting
needed to handle this? I could not find one if there is but. . .
getsebool -a | grep postfix
allow_postfix_local_write_mail_spool --> on
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Am 04.12.2014 um 18:29 schrieb James B. Byrne:> I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6 > virtual guest: > > ---- > time->Thu Dec 4 12:14:58 2014 > type=SYSCALL msg=audit(1417713298.610:60522): arch=c000003e syscall=2 > success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698 > pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) ses=2784 comm="trivial-rewrite" > exe="/usr/libexec/postfix/trivial-rewrite" > subj=unconfined_u:system_r:postfix_master_t:s0 key=(null) > type=AVC msg=audit(1417713298.610:60522): avc: denied { read } for pid=4294 > comm="trivial-rewrite" name="tmp" dev=dm-0 ino=393240 > scontext=unconfined_u:system_r:postfix_master_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > > We are using a locally built Postfix (Postfix-2.8+ is required to support > postscreen and CentOS only provides 2.6.6) > > rpm -qi postfix > Name : postfix Relocations: (not relocatable) > Version : 2.11.1 Vendor: (none) > Release : 0.el6 Build Date: Thu May 15 14:38:25 2014 > Install Date: Fri Nov 28 14:57:25 2014 Build Host: > xnet242.hamilton.harte-lyne.ca > Group : System Environment/Daemons Source RPM: > postfix-2.11.1-0.el6.src.rpm > Size : 13111458 License: IBM > Signature : (none) > URL : http://www.postfix.org > Summary : Postfix Mail Transport Agent > Description : > Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), > TLS > > > Re: SELinux. Do I just build a local policy or is there some boolean setting > needed to handle this? I could not find one if there is but. . . > > getsebool -a | grep postfix > allow_postfix_local_write_mail_spool --> onhttps://bugzilla.redhat.com/show_bug.cgi?id=892024 Are you sure you are really up to date on CentOS 6? https://rhn.redhat.com/errata/RHBA-2013-1598.html is old and meanwhile outdated. I don't have such a problem with the Postfix 2.11.3 package from ghettoforge on a current CentOS 6.6. Alexander
On Thu, December 4, 2014 12:29, James B. Byrne wrote:> > Re: SELinux. Do I just build a local policy or is there some boolean setting > needed to handle this? I could not find one if there is but. . . >Anyone see any problem with generating a custom policy consisting of the following? grep avc /var/log/audit/audit.log | audit2allow #============= amavis_t =============allow amavis_t shell_exec_t:file execute; allow amavis_t sysfs_t:dir search; #============= clamscan_t =============allow clamscan_t amavis_spool_t:dir read; #============= logwatch_mail_t =============allow logwatch_mail_t usr_t:lnk_file read; #============= postfix_master_t =============allow postfix_master_t tmp_t:dir read; #============= postfix_postdrop_t =============allow postfix_postdrop_t tmp_t:dir read; #============= postfix_showq_t =============allow postfix_showq_t tmp_t:dir read; #============= postfix_smtp_t =============allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr }; -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On 12/04/2014 03:22 PM, James B. Byrne wrote:> On Thu, December 4, 2014 12:29, James B. Byrne wrote: >> Re: SELinux. Do I just build a local policy or is there some boolean setting >> needed to handle this? I could not find one if there is but. . . >> > Anyone see any problem with generating a custom policy consisting of the > following? > > grep avc /var/log/audit/audit.log | audit2allow > > > #============= amavis_t =============> allow amavis_t shell_exec_t:file execute; > allow amavis_t sysfs_t:dir search; > > #============= clamscan_t =============> allow clamscan_t amavis_spool_t:dir read;In the latest rhel6 policies amavas_t and clamscan_t have been merged into antivirus_t? Is you selinux-policy up 2 date?> #============= logwatch_mail_t =============> allow logwatch_mail_t usr_t:lnk_file read; > > #============= postfix_master_t =============> allow postfix_master_t tmp_t:dir read; > > #============= postfix_postdrop_t =============> allow postfix_postdrop_t tmp_t:dir read; > > #============= postfix_showq_t =============> allow postfix_showq_t tmp_t:dir read;Any reason postfix would be listing the contents of /tmp or /var/tmp? Did you put some content into these directories that have something to do with mail?> #============= postfix_smtp_t =============> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr }; > >