Dan Roberts
2009-Apr-30 14:07 UTC
[CentOS] Defaults of CentOS Install not working with SELinux
Following a hard drive corruption I have reinstalled the latest version of CentOS and all current patch files. For most applications I selected the default options. By doing this I expected that the packages would play nice with one another and I could customize as necessary. Setting SELinux to enforce I encountered all sorts of problems - but most were resolvable, save for Dovecot, Procmail (for spamc), and an odd one with Apache. Given that these were all installed with the CentOS install defaults, I can't believe I am the only one with these issues but finding a solution has not been self evident. Hoping someone here can help. For Dovecot I get the following: SELinux is preventing dovecot (dovecot_t) "create" to <Unknown> (dovecot_t). For complete SELinux messages. run sealert -l e1b070ab-586a-4c5a-befe-b6a46b9ab992 For procmail I get the following: SELinux is preventing procmail (procmail_t) "execute" to ./spamc (spamc_exec_t). For complete SELinux messages. run sealert -l 0a554689-4948-4edf-9964-dddbfe6a2492 SELinux is preventing sh (procmail_t) "read" to ./spamc (spamc_exec_t). For complete SELinux messages. run sealert -l 1f1ebd83-412d-4e93-a36f-6f3d34c663df For Apache it's even more strange - When started I get: Syntax error on line 283 of /etc/httpd/conf/httpd.conf DocumentRoot must be directory But it is a directory, has the correct permissions and I have even run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to correct the problem. I run a virtual server too, and in trying to find a fix for this that may be a problem - but first things first. All the other issues I had I could resolve when I ran the specified "sealert" tag and followed the suggested instructions - but those above don't budge. When I go to the fedora.redhat.com/docs/selinux-fq- fc5 site to take on making a local policy module I am quickly getting lost . The option to simply disable SElinux with respect to Apache, Dovecote or anything else is suggested - but not something I see in the GUI window, and I have not figured out how to do it from the command line. Again, because these are default packages, I hope that someone else knows how to resolve these. With respect to the to reports from SELinux regarding Dovecot and promail, here is a bit more info: The info and Raw Audit message for dovecot_t is: Source Context system_u:system_r:dovecot_t:s0 Target Context system_u:system_r:dovecot_t:s0 Target Objects None [ socket ] Source dovecot Source Path /usr/sbin/dovecot Port <Unknown> Host trailrunner Source RPM Packages dovecot-1.0.7-7.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name trailrunner Platform Linux trailrunner 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 10:38:05 EDT 2009 i686 athlon Alert Count 2 First Seen Wed Apr 29 15:39:51 2009 Last Seen Wed Apr 29 15:47:31 2009 Local ID e1b070ab-586a-4c5a-befe-b6a46b9ab992 Line Numbers Raw Audit Messages host=trailrunner type=AVC msg=audit(1241041651.976:33): avc: denied { create } for pid=3884 comm="dovecot" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=socket host=trailrunner type=SYSCALL msg=audit(1241041651.976:33): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070 a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot" subj=system_u:system_r:dovecot_t:s0 key=(null) The Raw Audit Message for Procmail is: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:spamc_exec_t:s0 Target Objects ./spamc [ file ] Source procmail Source Path /usr/bin/procmail Port <Unknown> Host trailrunner Source RPM Packages procmail-3.22-17.1.el5.centos Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name trailrunner Platform Linux trailrunner 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 10:38:05 EDT 2009 i686 athlon Alert Count 29 First Seen Wed Apr 29 15:40:40 2009 Last Seen Wed Apr 29 16:25:40 2009 Local ID 0a554689-4948-4edf-9964-dddbfe6a2492 Line Numbers Raw Audit Messages host=trailrunner type=AVC msg=audit(1241043940.918:166): avc: denied { execute } for pid=3344 comm="procmail" name="spamc" dev=dm-0 ino=18762675 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file host=trailrunner type=SYSCALL msg=audit(1241043940.918:166): arch=40000003 syscall=11 success=no exit=-13 a0=8ef1d90 a1=8ef1020 a2=8ef32d8 a3=1 items=0 ppid=3343 pid=3344 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20090430/b22466a9/attachment-0002.html>
Andrew Colin Kissa
2009-Apr-30 14:43 UTC
[CentOS] Defaults of CentOS Install not working with SELinux
Hi Dovecot is trying to open a socket, and procmail is trying to execute spamc, You should be able to fix these issues using audit2allow. Andrew. On 30 Apr 2009, at 4:07 PM, Dan Roberts wrote:> Following a hard drive corruption I have reinstalled the latest > version of CentOS and all current patch files. > > For most applications I selected the default options. By doing this > I expected that the packages would play nice with one another and I > could customize as necessary. > > Setting SELinux to enforce I encountered all sorts of problems - but > most were resolvable, save for Dovecot, Procmail (for spamc), and an > odd one with Apache. > > Given that these were all installed with the CentOS install > defaults, I can't believe I am the only one with these issues but > finding a solution has not been self evident. Hoping someone here > can help. > > For Dovecot I get the following: > SELinux is preventing dovecot (dovecot_t) "create" to <Unknown> > (dovecot_t). For complete SELinux messages. run sealert -l > e1b070ab-586a-4c5a-befe-b6a46b9ab992 > > For procmail I get the following: > SELinux is preventing procmail (procmail_t) "execute" to ./spamc > (spamc_exec_t). For complete SELinux messages. run sealert -l > 0a554689-4948-4edf-9964-dddbfe6a2492 > SELinux is preventing sh (procmail_t) "read" to ./spamc > (spamc_exec_t). For complete SELinux messages. run sealert -l > 1f1ebd83-412d-4e93-a36f-6f3d34c663df > > For Apache it's even more strange - When started I get: > Syntax error on line 283 of /etc/httpd/conf/httpd.conf > DocumentRoot must be directory > > But it is a directory, has the correct permissions and I have even > run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to > correct the problem. I run a virtual server too, and in trying to > find a fix for this that may be a problem - but first things first. > > All the other issues I had I could resolve when I ran the specified > "sealert" tag and followed the suggested instructions - but those > above don't budge. When I go to the fedora.redhat.com/docs/selinux- > fq-fc5 site to take on making a local policy module I am quickly > getting lost . The option to simply disable SElinux with respect > to Apache, Dovecote or anything else is suggested - but not > something I see in the GUI window, and I have not figured out how to > do it from the command line. > > Again, because these are default packages, I hope that someone else > knows how to resolve these. > > With respect to the to reports from SELinux regarding Dovecot and > promail, here is a bit more info: > > The info and Raw Audit message for dovecot_t is: > Source Context system_u:system_r:dovecot_t:s0 > Target Context system_u:system_r:dovecot_t:s0 > Target Objects None [ socket ] > Source dovecot > Source Path /usr/sbin/dovecot > Port <Unknown> > Host trailrunner > Source RPM Packages dovecot-1.0.7-7.el5 > Target RPM Packages > Policy RPM selinux-policy-2.4.6-203.el5 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name trailrunner > Platform Linux trailrunner > 2.6.18-128.1.6.el5xen #1 SMP Wed > Apr 1 10:38:05 EDT 2009 i686 athlon > Alert Count 2 > First Seen Wed Apr 29 15:39:51 2009 > Last Seen Wed Apr 29 15:47:31 2009 > Local ID e1b070ab-586a-4c5a-befe-b6a46b9ab992 > Line Numbers > > Raw Audit Messages > host=trailrunner type=AVC msg=audit(1241041651.976:33): avc: > denied { create } for pid=3884 comm="dovecot" > scontext=system_u:system_r:dovecot_t:s0 > tcontext=system_u:system_r:dovecot_t:s0 tclass=socket > host=trailrunner type=SYSCALL msg=audit(1241041651.976:33): > arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070 > a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0 > gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot" > subj=system_u:system_r:dovecot_t:s0 key=(null) > > The Raw Audit Message for Procmail is: > Source Context system_u:system_r:procmail_t:s0 > Target Context system_u:object_r:spamc_exec_t:s0 > Target Objects ./spamc [ file ] > Source procmail > Source Path /usr/bin/procmail > Port <Unknown> > Host trailrunner > Source RPM Packages procmail-3.22-17.1.el5.centos > Target RPM Packages > Policy RPM selinux-policy-2.4.6-203.el5 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name trailrunner > Platform Linux trailrunner > 2.6.18-128.1.6.el5xen #1 SMP Wed > Apr 1 10:38:05 EDT 2009 i686 athlon > Alert Count 29 > First Seen Wed Apr 29 15:40:40 2009 > Last Seen Wed Apr 29 16:25:40 2009 > Local ID 0a554689-4948-4edf-9964-dddbfe6a2492 > Line Numbers > > Raw Audit Messages > host=trailrunner type=AVC msg=audit(1241043940.918:166): avc: > denied { execute } for pid=3344 comm="procmail" name="spamc" > dev=dm-0 ino=18762675 scontext=system_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file > host=trailrunner type=SYSCALL msg=audit(1241043940.918:166): > arch=40000003 syscall=11 success=no exit=-13 a0=8ef1d90 a1=8ef1020 > a2=8ef32d8 a3=1 items=0 ppid=3343 pid=3344 auid=4294967295 uid=0 > gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) > ses=4294967295 comm="procmail" exe="/usr/bin/procmail" > subj=system_u:system_r:procmail_t:s0 key=(null) > > > > > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20090430/ad2e7e2d/attachment-0002.html>
Lanny Marcus
2009-Apr-30 17:44 UTC
[CentOS] Defaults of CentOS Install not working with SELinux
On Thu, Apr 30, 2009 at 9:07 AM, Dan Roberts <dan at jlazyh.com> wrote:> Following a hard drive corruption I have reinstalled the latest version of > CentOS and all current patch files. > For most applications I selected the default options. ?By doing this I > expected that the packages would play nice with one another and I could > customize as necessary. > Setting SELinux to enforce I encountered all sorts of problems - but most > were resolvable, save for Dovecot, Procmail (for spamc), and an odd one<snip>> take on making a local policy module I am quickly getting lost . ? The > option to simply disable SElinux with respect to Apache, Dovecote or > anything else is suggested - but not something I see in the GUI window, and > I have not figured out how to do it from the command line.Disabling SELinux is *not* recommended, by those who know, on this mailing list and in other places. Maybe drop it down from "Enforcing" to Permissive, until you get it configured properly. You might want to go to <http://www.nsa.gov/> and download the .pdf version of their manual about hardening RHEL 5. Look for the December 20, 2007 version. On page 42, they begin discussing SELinux and how to configure/troubleshoot it. "Guide to the Secure Configuration of Red Hat Enterprise Linux 5". HTH and GL
Apparently Analagous Threads
- procmail can't invoke spamc/spamassassin in 5.3 due to SElinux denials
- v2.3.2 released
- v2.3.2 released
- Converting from MBOX to Maildir broke procmail and Spamassasin and halted incoming mail
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql