I'm busy setting up amavisd-new on a CentOS 5.0 box - and believe I've
got it working well enough that I can switch selinux enforcing back on
again.
I've done the usual-
- grab a chunk of the audit.log that is relevant to all the actions
that would be denied.
- do 'cat audit.log | audit2allow -M amavis' to generate the module
- amavis.te looks like:
module amavis 1.0;
require {
class dir { add_name getattr read remove_name search write };
class file { create execute execute_no_trans getattr lock read
rename unlink write };
class filesystem getattr;
class lnk_file read;
type amavis_t;
type fs_t;
type mqueue_spool_t;
type sbin_t;
type sendmail_exec_t;
type var_lib_t;
role system_r;
};
allow amavis_t fs_t:filesystem getattr;
allow amavis_t mqueue_spool_t:dir { add_name getattr read remove_name
search write };
allow amavis_t mqueue_spool_t:file { create getattr lock read rename
unlink write };
allow amavis_t sbin_t:lnk_file read;
allow amavis_t sendmail_exec_t:file { execute execute_no_trans read };
allow amavis_t var_lib_t:dir search;
- now I do 'semodule -i amavis.pp' to load the module- but instead of
working I instead get this error:
libsepol.print_missing_requirements: amavis's global requirements were
not met: type/attribute amavis_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
Anyone know the next step I'm supposed to take to fix this? Previous
modules I've made have just happily loaded at that point...
Cheers,
Tony
On 7/19/07, Tony <pthagonal at gmail.com> wrote:> I'm busy setting up amavisd-new on a CentOS 5.0 box - and believe I've > got it working well enough that I can switch selinux enforcing back on > again. > > I've done the usual-<snippage>> - now I do 'semodule -i amavis.pp' to load the module- but instead of > working I instead get this error: > > libsepol.print_missing_requirements: amavis's global requirements were > not met: type/attribute amavis_t > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! >For the record I've solved it. Turns out that there is already an amavis.pp loaded - it is included in the selinux-policy-targetted package- despite the fact amavis isn't part of RHEL/ CentOS5. Solution was to remake my module and make sure it ends up named "myamavis.pp" - and now I can load it with no problems. In Dan Walsh's blog ( http://danwalsh.livejournal.com/8637.html ) he does recommend putting "my" on the front of every custom module in order to prevent name clashes - just wish I'd read and heeded his advice earlier. Cheers, Tony