Hi everybody.<br><br>This problem with selinux is exhausting my little head:<br><br>I wrote a python script in order to provide out of office mail system to my postfix mailserver on Centos5. This script use sqlite module to connect to a db file and store some information about email replies, users etc.&nbsp; I invoke my script from /etc/postfix/<a href="http://master.cf">master.cf</a> :<br>
<br>autoreply&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unix&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pipe<br>&nbsp; flags= user=vacation argv=/etc/config_files/postfix/autoresponder/vacation.py --deliver ${sender} -- ${recipient}<br><br>whose permissions are: (ls -Z /etc/config_files/postfix/autoresponder/)<br>
<br>-rwxrwxrwx&nbsp; vacation vacation system_u:object_r:etc_t&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; database.db<br>-rwxrwxrwx&nbsp; vacation vacation system_u:object_r:postfix_pipe_exec_t vacation.py<br><br>The latter context was set by me to allow /urs/libexec/postfix/pipe to be able to execute my script (i wouldn&#39;t use this kind of dirty &quot;tricks&quot;). If i leave with its canonical context , postfix will<br>
complain saying it has not permission to execute vacation.py.<br><br>Assuming this configuration right,&nbsp; my script is able to connect and retrieve information by the database (select statement ) but cannot write on it (database.db) . Take a look at audit log:<br>
<br>type=SYSCALL msg=audit(1211975254.056:1341): arch=c000003e syscall=2 success=no exit=-13 a0=27f4ec0 a1=42 a2=1a4 a3=1 items=0 ppid=7203 pi\<br>d=7212 auid=0 uid=514 gid=514 euid=514 suid=514 fsuid=514 egid=514 sgid=514 fsgid=514 tty=(none) comm=&quot;python&quot; exe=&quot;/usr/bin/python&quot; subj=\<br>
root:system_r:postfix_pipe_t:s0 key=(null)<br>type=AVC msg=audit(1211975254.060:1342): avc:&nbsp; denied&nbsp; { write } for&nbsp; pid=7206 comm=&quot;python&quot; name=&quot;localUsers.db&quot; dev=dm-0 ino=262646 scon\<br>text=root:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file<br>
<br>I Guess python sqlite function cannot create journaling files which is required by sqlite to modify a database (i&#39;ve also tried to add a PRAGMA statement fo change the temporary directory and python complains that it is not writable .....even /tmp dir) . Actually if i disable selinux everyhing works, but i don&#39;t want to do it at all.<br>
<br>I have no ideas anymore to solve it out. If i create a new policy package form my audit.log using :<br><br>&nbsp;audit2allow -i /var/log/audit/audit.log -m vacation &gt; vacation.te etc....<br><br>and loading it with semodule the issue doesn&#39;t run away.<br>
<br>Any help will be&nbsp; really appreciated<br><br>Fabrizio <br><br><br><br><br><br><br>&nbsp;<br>