Nicolas Mailhot wrote:
Le mardi 29 novembre 2005 à 15:01 -0500, Daniel J Walsh a écrit :
Nicolas Mailhot wrote:
The udev denial seems fixed with selinux-policy-targeted-2.0.6-1. So things get (slowly) fixed. But most issues are still there :
audit2allow < /var/log/audit/audit.log
You should do
audit2allow -l < /var/log/audit/audit.log
To only get the messages of what AVC messages you got after the last reload.
allow dovecot_auth_t var_lib_t:dir search; allow system_chkpwd_t devpts_t:chr_file { read write }; allow procmail_t spamd_port_t:tcp_socket name_connect; allow updfstab_t tmpfs_t:dir getattr; allow dovecot_auth_t etc_runtime_t:file read; allow spamd_t port_t:udp_socket name_bind; (this bit is the spamassassin resolver issue Steven Stern just reported for FC4. It was briefly fixed in Rawhide, then regressed to broken stage with the 2.x policy change)
(generated on a clean fully relabeled system after 3 min of activity)
That's almost the same list I had with selinux-policy-targeted-2.0.0
selinux-policy-2.0.6-2 should fix most of those.
This one is much better, right. I had to work a little harder to fill my AVC quota. Now I only get :
# audit2allow < /var/log/audit/audit.log | sort allow dovecot_auth_t var_auth_t:dir write; (on-the-fly pam_abl database creation failure, strangely works fine from ssh)
allow saslauthd_t self:capability setuid; (should saslauthd be allowed setuid ?)
allow saslauthd_t var_auth_t:dir search; (more pam_abl stuff)
allow spamd_t port_t:udp_socket name_bind;
Probably related to one of those :
Nov 29 22:08:11 rousalka spamd[2382]: Error creating a DNS resolver socket: Permission non accordée at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm line 202, <GEN5> line 120. Nov 29 22:08:11 rousalka spamd[2382]: spamd: Error creating a DNS resolver socket: Permission non accordée at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm line 202, <GEN5> line 120.
Nov 29 22:09:38 rousalka spamd[2382]: spamd: connection from localhost.localdomain [127.0.0.1] at port 50657 Nov 29 22:09:38 rousalka spamd[2382]: spamd: setuid to nim succeeded Nov 29 22:09:38 rousalka spamd[2382]: spamd: creating default_prefs: /home/nim/.spamassassin/user_prefs Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line 1467 Nov 29 22:09:38 rousalka spamd[2382]: config: cannot write to /home/nim/.spamassassin/user_prefs: Permission non accordée Nov 29 22:09:38 rousalka spamd[2382]: spamd: failed to create readable default_prefs: /home/nim/.spamassassin/user_prefs Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line 1467 Nov 29 22:09:38 rousalka spamd[2382]: spamd: checking message 1133298570.3426.4.camel@rousalka.dyndns.org for nim:500 Nov 29 22:09:38 rousalka spamd[2382]: internal error Nov 29 22:09:38 rousalka spamd[2382]: pyzor: check failed: internal error Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line 1467 Nov 29 22:09:38 rousalka spamd[2382]: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2382 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée Nov 29 22:09:38 rousalka spamd[2382]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2382 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée Nov 29 22:09:38 rousalka spamd[2382]: Can't call method "finish" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/Plugin/AWL.pm line 397. Nov 29 22:09:38 rousalka spamd[2382]: bayes: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/bayes.lock.rousalka.dyndns.org.2382 for /home/nim/.spamassassin/bayes.lock: Permission non accordée
allow system_chkpwd_t devpts_t:chr_file { read write }; (this one is pam-related - may be serious)
allow updfstab_t tmpfs_t:dir getattr; (fstab-sync is blocked)
Regards,
Please attach the audit.log