selinux and udev ?

Daniel J Walsh dwalsh at redhat.com
Tue Nov 29 23:49:44 UTC 2005


Nicolas Mailhot wrote:
> Le mardi 29 novembre 2005 à 15:01 -0500, Daniel J Walsh a écrit : 
>   
>> Nicolas Mailhot wrote:
>>     
>
>   
>>> The udev denial seems fixed with selinux-policy-targeted-2.0.6-1. So
>>> things get (slowly) fixed. But most issues are still there :
>>>
>>> audit2allow < /var/log/audit/audit.log
>>>       
You should do

audit2allow -l  < /var/log/audit/audit.log

To only get the messages of what AVC messages you got after the last reload.
>>> allow dovecot_auth_t var_lib_t:dir search;
>>> allow system_chkpwd_t devpts_t:chr_file { read write };
>>> allow procmail_t spamd_port_t:tcp_socket name_connect;
>>> allow updfstab_t tmpfs_t:dir getattr;
>>> allow dovecot_auth_t etc_runtime_t:file read;
>>> allow spamd_t port_t:udp_socket name_bind;
>>> (this bit is the spamassassin resolver issue Steven Stern just reported
>>> for FC4. It was briefly fixed in Rawhide, then regressed to broken stage
>>> with the 2.x policy change)
>>>
>>> (generated on a clean fully relabeled system after 3 min of activity)
>>>
>>> That's almost the same list I had with selinux-policy-targeted-2.0.0
>>>       
>
>   
>> selinux-policy-2.0.6-2 should fix most of those.
>>     
>
> This one is much better, right. I had to work a little harder to fill my
> AVC quota. Now I only get :
>
> # audit2allow < /var/log/audit/audit.log | sort
> allow dovecot_auth_t var_auth_t:dir write;
> (on-the-fly pam_abl database creation failure, strangely works fine from
> ssh)
>
> allow saslauthd_t self:capability setuid;
> (should saslauthd be allowed setuid ?)
>
> allow saslauthd_t var_auth_t:dir search;
> (more pam_abl stuff)
>
> allow spamd_t port_t:udp_socket name_bind;
>
> Probably related to one of those :
>
> Nov 29 22:08:11 rousalka spamd[2382]: Error creating a DNS resolver
> socket: Permission non accordée
> at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm
> line 202, <GEN5> line 120.
> Nov 29 22:08:11 rousalka spamd[2382]: spamd: Error creating a DNS
> resolver socket: Permission non accordée
> at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm
> line 202, <GEN5> line 120.
>
>
> Nov 29 22:09:38 rousalka spamd[2382]: spamd: connection from
> localhost.localdomain [127.0.0.1] at port 50657
> Nov 29 22:09:38 rousalka spamd[2382]: spamd: setuid to nim succeeded
> Nov 29 22:09:38 rousalka spamd[2382]: spamd: creating
> default_prefs: /home/nim/.spamassassin/user_prefs
> Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier
> existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line
> 1467
> Nov 29 22:09:38 rousalka spamd[2382]: config: cannot write
> to /home/nim/.spamassassin/user_prefs: Permission non accordée
> Nov 29 22:09:38 rousalka spamd[2382]: spamd: failed to create readable
> default_prefs: /home/nim/.spamassassin/user_prefs
> Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier
> existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line
> 1467
> Nov 29 22:09:38 rousalka spamd[2382]: spamd: checking message
> <1133298570.3426.4.camel at rousalka.dyndns.org> for nim:500
> Nov 29 22:09:38 rousalka spamd[2382]: internal error
> Nov 29 22:09:38 rousalka spamd[2382]: pyzor: check failed: internal
> error
> Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier
> existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line
> 1467
> Nov 29 22:09:38 rousalka spamd[2382]: locker: safe_lock: cannot create
> tmp
> lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2382 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
> Nov 29 22:09:38 rousalka spamd[2382]: auto-whitelist: open of
> auto-whitelist file failed: locker: safe_lock: cannot create tmp
> lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2382 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
> Nov 29 22:09:38 rousalka spamd[2382]: Can't call method "finish" on an
> undefined value
> at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/Plugin/AWL.pm line
> 397.
> Nov 29 22:09:38 rousalka spamd[2382]: bayes: locker: safe_lock: cannot
> create tmp
> lockfile /home/nim/.spamassassin/bayes.lock.rousalka.dyndns.org.2382
> for /home/nim/.spamassassin/bayes.lock: Permission non accordée
>
> allow system_chkpwd_t devpts_t:chr_file { read write };
> (this one is pam-related - may be serious)
>
> allow updfstab_t tmpfs_t:dir getattr;
> (fstab-sync is blocked)
>
> Regards,
>
>   
Please attach the audit.log

-- 





More information about the fedora-selinux-list mailing list