[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Postfix avcs (Re: Enabling SELinux on a custom kernel)

From: Jan Kasprzak <kas fi muni cz>
To: Stephen Smalley <sds tycho nsa gov>
Cc: fedora-selinux-list <fedora-selinux-list redhat com>
Subject: Re: Postfix avcs (Re: Enabling SELinux on a custom kernel)
Date: Tue, 8 Jul 2008 15:48:07 +0200

Stephen Smalley wrote:
: Easier way to do that is:
: audit2allow -M localpostfix
: That creates the .te file, runs it through checkmodule, and runs it
: through semodule_package, leaving you with the .pp file.

	OK, thanks.

: > but when I try to load it using "semodule -i localpostfix.pp",
: > the semodule command hangs for several minutes, eating almost 100 % CPU.
: > After that, it fails with
: > 
: > libsemanage.dbase_llist_query: could not query record value (No such file or directory).
: 
: Hmmm...that's interesting.  Usually that means you are missing a config
: file in the policy store.  Are you starting from the stock Fedora policy
: or your own custom policy?  Also, did it actually fail or just issue
: that warning and proceed?

	Well, this system has been running for several years and upgraded
through several Fedora releases (altough SELinux has never been in use there).
Now I have decided to enable SELinux (together with an upgrade to F9),
so I have installed Fedora (or Fedora updates) packages of SELinux tools,
targeted policy, etc. So yes, the starting point was the stock F9 setup,
but I cannot say it is a fresh F9 install.

	Running find /etc/selinux -print on that system and on
just installed and updated F9 system leads to this diff:

diff /tmp/list.upgraded /tmp/list.fresh
70d69
< /etc/selinux/targeted/modules/active/modules/localpostfix.pp
115a115
> /etc/selinux/targeted/modules/active/seusers
117a118,119
> /etc/selinux/targeted/modules/active/users_extra.local
> /etc/selinux/targeted/modules/active/users.local
120,207d121
< /etc/selinux/targeted/modules/tmp
< /etc/selinux/targeted/modules/tmp/base.pp
< /etc/selinux/targeted/modules/tmp/commit_num
[... and lot other files in .../tmp, because semodule -i localpostfix.pp
     has been running at that time ...]

	Semodule -i does not fail per se - it returns 0 to the shell.
However, Postfix still does not work, and AVCs similar to the original ones
are still logged into the audit.log.

-Yenya

-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/    Journal: http://www.fi.muni.cz/~kas/blog/ |
>>  If you find yourself arguing with Alan Cox, you’re _probably_ wrong.  <<
>>     --James Morris in "How and Why You Should Become a Kernel Hacker"  <<

Follow-Ups:
- Re: Postfix avcs (Re: Enabling SELinux on a custom kernel)
  - From: Jan Kasprzak

References:
- Enabling SELinux on a custom kernel
  - From: Jan Kasprzak
- Re: Enabling SELinux on a custom kernel
  - From: Stephen Smalley
- Postfix avcs (Re: Enabling SELinux on a custom kernel)
  - From: Jan Kasprzak
- Re: Postfix avcs (Re: Enabling SELinux on a custom kernel)
  - From: Stephen Smalley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]