I'm busy setting up amavisd-new on a CentOS 5.0 box - and believe I've
got it working well enough that I can switch selinux enforcing back on
again.
I've done the usual-
- grab a chunk of the audit.log that is relevant to all the actions
that would be denied.
- do 'cat audit.log | audit2allow -M amavis' to generate the module
- amavis.te looks like:
module amavis 1.0;
require {
class dir { add_name getattr read remove_name search write };
class file { create execute execute_no_trans getattr lock read
rename unlink write };
class filesystem getattr;
class lnk_file read;
type amavis_t;
type fs_t;
type mqueue_spool_t;
type sbin_t;
type sendmail_exec_t;
type var_lib_t;
role system_r;
};
allow amavis_t fs_t:filesystem getattr;
allow amavis_t mqueue_spool_t:dir { add_name getattr read remove_name
search write };
allow amavis_t mqueue_spool_t:file { create getattr lock read rename
unlink write };
allow amavis_t sbin_t:lnk_file read;
allow amavis_t sendmail_exec_t:file { execute execute_no_trans read };
allow amavis_t var_lib_t:dir search;
- now I do 'semodule -i amavis.pp' to load the module- but instead of
working I instead get this error:
libsepol.print_missing_requirements: amavis's global requirements were
not met: type/attribute amavis_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
Anyone know the next step I'm supposed to take to fix this? Previous
modules I've made have just happily loaded at that point...
Cheers,
Tony