Cameron's Links
For those that don't know, SElinux is supposed to make servers more secure. I think the main reason is because it makes everything not work! For a while, I've been living with tons of SElinux audit errors/warnings on my mail server but as things still worked, I decided not to bother with it. Until now.This is what I was seeing (on several services):
Google actually didn't help much here, at least with the first pages of results, so I went hunting and discovered a command in Fedora 7: audit2allow. Basically, you give it the log with the errors and it will tell you the rules you need to add or even build a module you can easily load into SElinux. I chose the latter, creating a single module called mailserver for several services pertaining to running a mail server. This is what I did:
Sep 7 16:49:42 mail kernel: audit(1189205382.693:2459): avc: denied { unlink } for pid=22150 comm="imapd" name="cyrus.index" dev=sda2 ino=4732920 scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
Sep 7 16:49:42 mail kernel: audit(1189205382.983:2460): avc: denied { read } for pid=22150 comm="imapd" name="cyrus.squat" dev=sda2 ino=4732957 scontext=system_u:system_r:cyrus_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
Sep 7 16:49:43 mail kernel: audit(1189205382.984:2461): avc: denied { getattr } for pid=22150 comm="imapd" name="cyrus.squat" dev=sda2 ino=4732957 scontext=system_u:system_r:cyrus_t:s0 tcontext=user_u:obj
audit2allow -i /var/log/messages -M mailserver
which creates the module, and then
semodule -i mailserver.pp
to load that module. And it worked. That easy!
Post a comment