CentOS - Apr 2009 - Defaults of CentOS Install not working with SELinux

Following a hard drive corruption I have reinstalled the latest  
version of CentOS and all current patch files.

For most applications I selected the default options.  By doing this I  
expected that the packages would play nice with one another and I  
could customize as necessary.

Setting SELinux to enforce I encountered all sorts of problems - but  
most were resolvable, save for Dovecot, Procmail (for spamc), and an  
odd one with Apache.

Given that these were all installed with the CentOS install defaults,  
I can't believe I am the only one with these issues but finding a  
solution has not been self evident.  Hoping someone here can help.

For Dovecot I get the following:
	SELinux is preventing dovecot (dovecot_t) "create" to <Unknown>
(dovecot_t). For complete SELinux messages. run sealert -l  
e1b070ab-586a-4c5a-befe-b6a46b9ab992

For procmail I get the following:
	SELinux is preventing procmail (procmail_t) "execute" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
0a554689-4948-4edf-9964-dddbfe6a2492
	SELinux is preventing sh (procmail_t) "read" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
1f1ebd83-412d-4e93-a36f-6f3d34c663df

For Apache it's even more strange - When started I get:
	Syntax error on line 283 of /etc/httpd/conf/httpd.conf
	DocumentRoot must be  directory

But it is a directory, has the correct permissions and I have even run  
chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to correct  
the problem.  I run a virtual server too, and in trying to find a fix  
for this that may be a problem - but first things first.

All the other issues I had I could resolve when I ran the specified  
"sealert" tag and followed the suggested instructions - but those  
above don't budge.  When I go to the fedora.redhat.com/docs/selinux-fq- 
fc5 site to take on making a local policy module I am quickly getting  
lost .   The option to simply disable SElinux with respect to Apache,  
Dovecote or anything else is suggested - but not something I see in  
the GUI window, and I have not figured out how to do it from the  
command line.

Again, because these are default packages, I hope that someone else  
knows how to resolve these.

With respect to the to reports from SELinux regarding Dovecot and  
promail, here is a bit more info:

The info and Raw Audit message for dovecot_t is:
	Source Context                system_u:system_r:dovecot_t:s0
	Target Context                system_u:system_r:dovecot_t:s0
	Target Objects                None [ socket ]
	Source                        dovecot
	Source Path                   /usr/sbin/dovecot
	Port                          <Unknown>
	Host                          trailrunner
	Source RPM Packages           dovecot-1.0.7-7.el5
	Target RPM Packages
	Policy RPM                    selinux-policy-2.4.6-203.el5
	Selinux Enabled               True
	Policy Type                   targeted
	MLS Enabled                   True
	Enforcing Mode                Enforcing
	Plugin Name                   catchall
	Host Name                     trailrunner
	Platform                      Linux trailrunner 2.6.18-128.1.6.el5xen  
#1 SMP Wed
	                              Apr 1 10:38:05 EDT 2009 i686 athlon
	Alert Count                   2
	First Seen                    Wed Apr 29 15:39:51 2009
	Last Seen                     Wed Apr 29 15:47:31 2009
	Local ID                      e1b070ab-586a-4c5a-befe-b6a46b9ab992
	Line Numbers

	Raw Audit Messages
	host=trailrunner type=AVC msg=audit(1241041651.976:33): avc:  denied   
{ create } for  pid=3884 comm="dovecot"  
scontext=system_u:system_r:dovecot_t:s0  
tcontext=system_u:system_r:dovecot_t:s0 tclass=socket
	host=trailrunner type=SYSCALL msg=audit(1241041651.976:33):  
arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070  
a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0  
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)  
ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot"  
subj=system_u:system_r:dovecot_t:s0 key=(null)

The Raw Audit Message for Procmail is:
	Source Context                system_u:system_r:procmail_t:s0
	Target Context                system_u:object_r:spamc_exec_t:s0
	Target Objects                ./spamc [ file ]
	Source                        procmail
	Source Path                   /usr/bin/procmail
	Port                          <Unknown>
	Host                          trailrunner
	Source RPM Packages           procmail-3.22-17.1.el5.centos
	Target RPM Packages
	Policy RPM                    selinux-policy-2.4.6-203.el5
	Selinux Enabled               True
	Policy Type                   targeted
	MLS Enabled                   True
	Enforcing Mode                Enforcing
	Plugin Name                   catchall_file
	Host Name                     trailrunner
	Platform                      Linux trailrunner 2.6.18-128.1.6.el5xen  
#1 SMP Wed
		                      Apr 1 10:38:05 EDT 2009 i686 athlon
	Alert Count                   29
	First Seen                    Wed Apr 29 15:40:40 2009
	Last Seen                     Wed Apr 29 16:25:40 2009
	Local ID                      0a554689-4948-4edf-9964-dddbfe6a2492
	Line Numbers

	Raw Audit Messages
	host=trailrunner type=AVC msg=audit(1241043940.918:166): avc:   
denied  { execute } for  pid=3344 comm="procmail"
name="spamc"
dev=dm-0 ino=18762675 scontext=system_u:system_r:procmail_t:s0  
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
	host=trailrunner type=SYSCALL msg=audit(1241043940.918:166):  
arch=40000003 syscall=11 success=no exit=-13 a0=8ef1d90 a1=8ef1020  
a2=8ef32d8 a3=1 items=0 ppid=3343 pid=3344 auid=4294967295 uid=0  
gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)  
ses=4294967295 comm="procmail" exe="/usr/bin/procmail"  
subj=system_u:system_r:procmail_t:s0 key=(null)







-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090430/b22466a9/attachment-0002.html>

Hi

Dovecot is trying to open a socket, and procmail is trying to execute  
spamc, You should be able to fix these issues using audit2allow.

Andrew.

On 30 Apr 2009, at 4:07 PM, Dan Roberts wrote:
> Following a hard drive corruption I have reinstalled the latest  
> version of CentOS and all current patch files.
>
> For most applications I selected the default options.  By doing this  
> I expected that the packages would play nice with one another and I  
> could customize as necessary.
>
> Setting SELinux to enforce I encountered all sorts of problems - but  
> most were resolvable, save for Dovecot, Procmail (for spamc), and an  
> odd one with Apache.
>
> Given that these were all installed with the CentOS install  
> defaults, I can't believe I am the only one with these issues but  
> finding a solution has not been self evident.  Hoping someone here  
> can help.
>
> For Dovecot I get the following:
> 	SELinux is preventing dovecot (dovecot_t) "create" to
<Unknown>
> (dovecot_t). For complete SELinux messages. run sealert -l  
> e1b070ab-586a-4c5a-befe-b6a46b9ab992
>
> For procmail I get the following:
> 	SELinux is preventing procmail (procmail_t) "execute" to ./spamc
> (spamc_exec_t). For complete SELinux messages. run sealert -l  
> 0a554689-4948-4edf-9964-dddbfe6a2492
> 	SELinux is preventing sh (procmail_t) "read" to ./spamc  
> (spamc_exec_t). For complete SELinux messages. run sealert -l  
> 1f1ebd83-412d-4e93-a36f-6f3d34c663df
>
> For Apache it's even more strange - When started I get:
> 	Syntax error on line 283 of /etc/httpd/conf/httpd.conf
> 	DocumentRoot must be  directory
>
> But it is a directory, has the correct permissions and I have even  
> run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to  
> correct the problem.  I run a virtual server too, and in trying to  
> find a fix for this that may be a problem - but first things first.
>
> All the other issues I had I could resolve when I ran the specified  
> "sealert" tag and followed the suggested instructions - but those
> above don't budge.  When I go to the fedora.redhat.com/docs/selinux- 
> fq-fc5 site to take on making a local policy module I am quickly  
> getting lost .   The option to simply disable SElinux with respect  
> to Apache, Dovecote or anything else is suggested - but not  
> something I see in the GUI window, and I have not figured out how to  
> do it from the command line.
>
> Again, because these are default packages, I hope that someone else  
> knows how to resolve these.
>
> With respect to the to reports from SELinux regarding Dovecot and  
> promail, here is a bit more info:
>
> The info and Raw Audit message for dovecot_t is:
> 	Source Context                system_u:system_r:dovecot_t:s0
> 	Target Context                system_u:system_r:dovecot_t:s0
> 	Target Objects                None [ socket ]
> 	Source                        dovecot
> 	Source Path                   /usr/sbin/dovecot
> 	Port                          <Unknown>
> 	Host                          trailrunner
> 	Source RPM Packages           dovecot-1.0.7-7.el5
> 	Target RPM Packages
> 	Policy RPM                    selinux-policy-2.4.6-203.el5
> 	Selinux Enabled               True
> 	Policy Type                   targeted
> 	MLS Enabled                   True
> 	Enforcing Mode                Enforcing
> 	Plugin Name                   catchall
> 	Host Name                     trailrunner
> 	Platform                      Linux trailrunner  
> 2.6.18-128.1.6.el5xen #1 SMP Wed
> 	                              Apr 1 10:38:05 EDT 2009 i686 athlon
> 	Alert Count                   2
> 	First Seen                    Wed Apr 29 15:39:51 2009
> 	Last Seen                     Wed Apr 29 15:47:31 2009
> 	Local ID                      e1b070ab-586a-4c5a-befe-b6a46b9ab992
> 	Line Numbers
>
> 	Raw Audit Messages
> 	host=trailrunner type=AVC msg=audit(1241041651.976:33): avc:   
> denied  { create } for  pid=3884 comm="dovecot"  
> scontext=system_u:system_r:dovecot_t:s0  
> tcontext=system_u:system_r:dovecot_t:s0 tclass=socket
> 	host=trailrunner type=SYSCALL msg=audit(1241041651.976:33):  
> arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf851070  
> a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0  
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)  
> ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot"  
> subj=system_u:system_r:dovecot_t:s0 key=(null)
>
> The Raw Audit Message for Procmail is:
> 	Source Context                system_u:system_r:procmail_t:s0
> 	Target Context                system_u:object_r:spamc_exec_t:s0
> 	Target Objects                ./spamc [ file ]
> 	Source                        procmail
> 	Source Path                   /usr/bin/procmail
> 	Port                          <Unknown>
> 	Host                          trailrunner
> 	Source RPM Packages           procmail-3.22-17.1.el5.centos
> 	Target RPM Packages
> 	Policy RPM                    selinux-policy-2.4.6-203.el5
> 	Selinux Enabled               True
> 	Policy Type                   targeted
> 	MLS Enabled                   True
> 	Enforcing Mode                Enforcing
> 	Plugin Name                   catchall_file
> 	Host Name                     trailrunner
> 	Platform                      Linux trailrunner  
> 2.6.18-128.1.6.el5xen #1 SMP Wed
> 		                      Apr 1 10:38:05 EDT 2009 i686 athlon
> 	Alert Count                   29
> 	First Seen                    Wed Apr 29 15:40:40 2009
> 	Last Seen                     Wed Apr 29 16:25:40 2009
> 	Local ID                      0a554689-4948-4edf-9964-dddbfe6a2492
> 	Line Numbers
>
> 	Raw Audit Messages
> 	host=trailrunner type=AVC msg=audit(1241043940.918:166): avc:   
> denied  { execute } for  pid=3344 comm="procmail"
name="spamc"
> dev=dm-0 ino=18762675 scontext=system_u:system_r:procmail_t:s0  
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> 	host=trailrunner type=SYSCALL msg=audit(1241043940.918:166):  
> arch=40000003 syscall=11 success=no exit=-13 a0=8ef1d90 a1=8ef1020  
> a2=8ef32d8 a3=1 items=0 ppid=3343 pid=3344 auid=4294967295 uid=0  
> gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)  
> ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
> subj=system_u:system_r:procmail_t:s0 key=(null)
>
>
>
>
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090430/ad2e7e2d/attachment-0002.html>

On Thu, Apr 30, 2009 at 9:07 AM, Dan Roberts <dan at jlazyh.com>
wrote:
> Following a hard drive corruption I have reinstalled the latest version of
> CentOS and all current patch files.
> For most applications I selected the default options. ?By doing this I
> expected that the packages would play nice with one another and I could
> customize as necessary.
> Setting SELinux to enforce I encountered all sorts of problems - but most
> were resolvable, save for Dovecot, Procmail (for spamc), and an odd one
<snip>
> take on making a local policy module I am quickly getting lost . ? The
> option to simply disable SElinux with respect to Apache, Dovecote or
> anything else is suggested - but not something I see in the GUI window, and
> I have not figured out how to do it from the command line.
Disabling SELinux is *not* recommended, by those who know, on this
mailing list and in other places.  Maybe drop it down from "Enforcing"
to Permissive, until you get it configured properly.

You might want to go to <http://www.nsa.gov/> and download the .pdf
version of their manual about hardening RHEL 5. Look for the December
20, 2007 version. On page 42, they begin discussing SELinux and how to
configure/troubleshoot it. "Guide to the Secure Configuration of Red
Hat Enterprise Linux 5". HTH and GL