postfix and selinux [selinux updates broke postfix?]

blacky_5251 · 03-12-2010, 12:15 AM

Perhaps your issue is subtly different, so lets try a different approach

Type this command:-

Code:

grep postfix /var/log/audit.log | audit2allow -M mypostfix2
semodule -i mypostfix2.pp

Lets see how that goes.

blacky_5251 · 03-12-2010, 12:19 AM

Sorry, that last command was wrong. Should be:-

Code:

audit2allow -M mypostfix2 < /var/log/audit.log

Followed by the semodule -i command.

rjcroasdale · 03-12-2010, 12:19 AM

Code:

grep postfix /var/log/audit.log | audit2allow -M mypostfix2
grep: /var/log/audit.log: No such file or directory
compilation failed:
mypostfix2.te:7:ERROR 'syntax error' at token '' on line 7:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from mypostfix2.te

Code:

semodule -i mypostfix2.pp
semodule:  Could not read file 'mypostfix2.pp': No such file or directory

rjcroasdale · 03-12-2010, 12:21 AM

sorry i'm confused :S

could you run those commands back at me?

blacky_5251 · 03-12-2010, 12:25 AM

Code:

audit2allow -M mypostfix2 < /var/log/audit.log

This creates a new policy file called mypostfix2 based on the audit errors in your log file (/var/log/audit.log). There should be two new files, one called mypostfix2.te and an automatically compiled policy file called mypostfix2.pp.

The audit2allow program uses the audit file to identify the errors you want to allow, creating a policy to allow them rather than reject them.

Then you can run the semodule -i command to implement this new policy:-

Code:

semodule -i mypostfix2.pp

rjcroasdale · 03-12-2010, 12:30 AM

;(

i don't have audit.log

Code:

audit2allow -M mypostfix2 < /var/log/audit.log
-bash: /var/log/audit.log: No such file or directory

blacky_5251 · 03-12-2010, 12:33 AM

Bugger. My typing again. Try /var/log/audit/audit.log with the double audit.

rjcroasdale · 03-12-2010, 12:40 AM

looking via filezilla at the ftp, doesn't look like i have that folder either

blacky_5251 · 03-12-2010, 12:43 AM

It is only accessible by the root user. Are you logged in as root? If you can't find it, try this command to locate the location of your SELinux log files:-

Code:

find / -name audit.log -print
    or
locate audit.log

I don't have a FC9 machine, but I would have thought the file should be in the directory /var/log/audit.

rjcroasdale · 03-12-2010, 12:50 AM

I dont have an audit.log at all anywhere

Code:

[root@HOSTNAME ~]# find / -name audit.log -print
[root@HOSTNAME ~]# find / -name maillog -print
/var/log/maillog

rjcroasdale · 03-12-2010, 12:51 AM

is that not the "messages" file? where i found these

Code:

Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.566:232533): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.566:232534): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.567:232535): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.567:232536): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.568:232537): avc:  denied  { read write } for  pid=7581 comm="cleanup" name="unix.cleanup" dev=sda1 ino=8306741 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file

blacky_5251 · 03-12-2010, 12:59 AM

Those are errors reported by the kernel, but not the file SELinux error. Here's an example of an audit.log entry from my machine here:-

Code:

type=USER_END msg=audit(1268083802.216:51086): user pid=11884 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023  msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_ACCT msg=audit(1268083861.885:51087): user pid=11929 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1268083861.887:51088): user pid=11929 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1268083861.889:51089): login pid=11929 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 newses=9067
type=USER_START msg=audit(1268083861.895:51090): user pid=11929 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1268083862.212:51091): user pid=11929 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_END msg=audit(1268083862.214:51092): user pid=11929 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_AUTH msg=audit(1268084098.035:51093): user pid=11948 uid=0 auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct="teacosy" : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:192.168.2.202,addr=::ffff:192.168.2.202, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1268084098.049:51094): user pid=11948 uid=0 auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct="teacosy" : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:192.168.2.202, addr=::ffff:192.168.2.202, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1268084102.796:51095): user pid=11953 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1268084102.798:51096): user pid=11953 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1268084102.802:51097): login pid=11953 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 newses=9068

As you can see, these contain more "data" about the errors.

Try scanning your /var/log directory for files that may contain similar errors:-

Code:

grep -l avc /var/log/*

rjcroasdale · 03-12-2010, 01:08 AM

nope, all the avc messages are in messages logfile;

Code:

grep -l avc /var/log/*
/var/log/messages
/var/log/messages-20100214
/var/log/messages-20100221
/var/log/messages-20100228
/var/log/messages-20100307

blacky_5251 · 03-12-2010, 01:10 AM

Perhaps there is a subdirectory (other than audit) that is holding them?

Code:

ls -la /var/log | grep drw

rjcroasdale · 03-12-2010, 01:11 AM

I take it selinux is disabling access to;
postfix/cleanup[7581]: fatal: open lock file
pid/unix.cleanup: cannot open file: Permission denied

and thats why i get these errors after it;
Mar 12 06:03:53 HOSTNAME postfix/master[7523]: warning: process
/usr/libexec/postfix/cleanup pid 7581 exit status 1
Mar 12 06:03:53 HOSTNAME postfix/master[7523]: warning:
/usr/libexec/postfix/cleanup: bad command startup -- throttling

and that bugfix we tried was suppost to fix this?