RHEL5 has a few handy tools to help with allowing specific exceptions to the canned selinux policy, by creating
policy modules to import as needed.
Use audit2allow, which transforms audit messages from alerts to loadable modules
So, this /var/log/messages alert:
Aug 7 07:22:19 testbox setroubleshoot: SELinux is preventing /usr/libexec/postfix/local (postfix_local_t) "write" to cricket (mail_spool_t). For complete SELinux messages. run sealert -l 1afcc5f6-d4a8-47e6-b546-b2ec3b427f18
Shows this in sealert:
[07:25:12 testbox ] tmp $ sealert -l 1afcc5f6-d4a8-47e6-b546-b2ec3b427f18Basically, postfix can't write to /var/spool/mail/cricket
Summary
SELinux is preventing /usr/libexec/postfix/local (postfix_local_t) "write"
to cricket (mail_spool_t).
Detailed Description
SELinux denied access requested by /usr/libexec/postfix/local. It is not
expected that this access is required by /usr/libexec/postfix/local and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for cricket, restorecon -v cricket
If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
can disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context user_u:system_r:postfix_local_t
Target Context system_u:object_r:mail_spool_t
Target Objects cricket [ file ]
Affected RPM Packages postfix-2.3.3-2 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name testbox
Platform Linux testbox 2.6.18-8.1.6.el5 #1 SMP Fri Jun 1
18:52:13 EDT 2007 x86_64 x86_64
Alert Count 7676
Line Numbers
Raw Audit Messages
avc: denied { write } for comm="local" dev=dm-1 egid=650 euid=650
exe="/usr/libexec/postfix/local" exit=-13 fsgid=650 fsuid=650 gid=0 items=0
name="cricket" pid=25939 scontext=user_u:system_r:postfix_local_t:s0 sgid=0
subj=user_u:system_r:postfix_local_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:mail_spool_t:s0 tty=(none) uid=0
[07:26:30 testbox ] tmp $ ls -alZ /var/spool/mail/So run audit2allow, and generate a te file:
drwxrwxr-x root mail system_u:object_r:mail_spool_t .
drwxr-xr-x root root system_u:object_r:var_spool_t ..
-rw------- cricket mail system_u:object_r:mail_spool_t cricket
[07:36:29 testbox ] tmp $ sudo audit2allow -a -m postfixlocal > postfixlocal.teAnd compile it:
[07:37:22 testbox ] tmp $ cat postfixlocal.te
module postfixlocal 1.0;
require {
class file write;
type mail_spool_t;
type postfix_local_t;
role system_r;
};
allow postfix_local_t mail_spool_t:file write;
[07:37:25 testbox tmp ] $ sudo checkmodule -M -m -o postfixlocal.mod postfixlocal.teAnd create a policy package:
checkmodule: loading policy configuration from postfixlocal.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to postfixlocal.mod
[07:37:47 testbox ] tmp $ semodule_package -o postfixlocal.pp -m postfixlocal.modNow we have the ingredients:
[07:38:39 testbox ] tmp $ file postfixlo*Load the policy to the kernel:
postfixlocal.mod: data
postfixlocal.pp: data
postfixlocal.te: ASCII C++ program text
[07:38:46 testbox] tmp $ sudo semodule -i postfixlocal.ppAlso, we can load the module to another server:
[07:44:14 testbox] / $ sudo semodule -l
amavis 1.1.0
ccs 1.0.0
clamav 1.1.0
dcc 1.1.0
evolution 1.1.0
iscsid 1.0.0
mozilla 1.1.0
mplayer 1.1.0
nagios 1.1.0
oddjob 1.0.1
pcscd 1.0.0
postfixlocal 1.0 <------------ module loaded =]
pyzor 1.1.0
razor 1.1.0
ricci 1.0.0
smartmon 1.1.0
[07:47:50 testbox] tmp $ scp postfixlocal.pp testbox2:/var/tmpFrom audit2allow man page:
stewpid@testbox2's password:
postfixlocal.pp 100% 1017 1.0KB/s 00:00
[07:48:37 testbox2] tmp $ sudo semodule -i postfixlocal.pp
[07:49:02 testbox2] tmp $ sudo semodule -l |grep postfixlocal
postfixlocal 1.0
[Note] ImportantSo, it's best to either maintain a single policy (named local or whatever you'll remember), or separate
In order to load this newly created policy package into the kernel, you are required to
execute semodule -i local.pp
Note that if you later install another module called local, it will replace this module.
If you want to keep these rules around, then you either need to append future customizations
to this local.te, or give future customizations a different name.
policy names for each access you'd like to allow/maintain. I prefer the modular approach, easy to load/unload.
2 comments:
Thank you very much - you have made selinux approachable. Policy module loaded, setenforce 1, postfix restart and no error messages when forwarding or delivering mail (my error was "SELinux is preventing the /usr/libexec/postfix/local from using potentially mislabeled files (Unknown)."
douliwok
Very helpful, thanks! Aleksey
Post a Comment