Bug 242217 - Lots of selinux deny on new F7 install
Summary: Lots of selinux deny on new F7 install
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 7
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-02 09:07 UTC by Daniel Rowe
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-14 11:46:26 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Dovecot selinux audit log (1.18 MB, text/plain)
2007-06-05 11:20 UTC, Daniel Rowe
no flags Details

Description Daniel Rowe 2007-06-02 09:07:27 UTC
Description of problem:

After fresh install of F7 there are a large number of selinux denies. A number
of system daemons will not work due to this. Unable to get Dovecot to run in
default setup due to this. There seems to be no options in F7 to disable selinux
on daemons, in previous FC versions options to disable selinux on dovecot was
available via booleans which I can not find in F7. 

I have never had a problem with selinux in the past (other then a bit of tuning)
and have used it since inclusion in FC.

[root@bajor selinux]# audit2allow -i /var/log/audit/audit.log


#============= dovecot_auth_t ==============
allow dovecot_auth_t self:capability audit_write;
allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };

#============= ldconfig_t ==============
allow ldconfig_t var_log_t:file write;

#============= locate_t ==============
allow locate_t default_t:chr_file getattr;
allow locate_t file_t:chr_file getattr;

#============= logwatch_t ==============
allow logwatch_t samba_share_t:file getattr;

#============= mysqld_t ==============
allow mysqld_t user_home_dir_t:dir write;
allow mysqld_t user_home_t:file write;

#============= named_conf_t ==============
allow named_conf_t proc_t:filesystem associate;

#============= named_t ==============
allow named_t named_conf_t:chr_file getattr;

#============= postfix_master_t ==============
allow postfix_master_t etc_t:file execute;
allow postfix_master_t var_run_t:file { read lock getattr write };

#============= restorecon_t ==============
allow restorecon_t proc_kcore_t:file getattr;
allow restorecon_t proc_kmsg_t:file getattr;
allow restorecon_t proc_mdstat_t:file getattr;
allow restorecon_t self:dir relabelfrom;
allow restorecon_t self:file relabelfrom;
allow restorecon_t self:lnk_file relabelfrom;
allow restorecon_t sysctl_dev_t:file read;
allow restorecon_t sysctl_fs_t:file read;
allow restorecon_t sysctl_kernel_t:file read;
allow restorecon_t sysctl_net_t:file read;
allow restorecon_t sysctl_t:file read;
allow restorecon_t sysctl_vm_t:file read;

#============= smbd_t ==============
allow smbd_t samba_log_t:file append;

#============= unconfined_t ==============
allow unconfined_t usr_t:file execmod;


Version-Release number of selected component (if applicable):


selinux-policy-targeted-2.6.4-8.fc7
libselinux-python-2.0.13-1.fc7
selinux-policy-2.6.4-8.fc7
libselinux-devel-2.0.13-1.fc7
libselinux-2.0.13-1.fc7
libselinux-2.0.13-1.fc7
libselinux-devel-2.0.13-1.fc7

Comment 1 Daniel Walsh 2007-06-04 16:23:19 UTC
Please attach the log file.


#============= dovecot_auth_t ==============
allow dovecot_auth_t self:capability audit_write;
allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };

Fixed in selinux-policy-2.6.4-13.fc7 

#============= ldconfig_t ==============
allow ldconfig_t var_log_t:file write;

What file is this?  Looks like a mislabel.
#============= locate_t ==============
allow locate_t default_t:chr_file getattr;
allow locate_t file_t:chr_file getattr;

Looks like a mislabel.  restorecon -R -v /root

#============= logwatch_t ==============
allow logwatch_t samba_share_t:file getattr;

#============= mysqld_t ==============
allow mysqld_t user_home_dir_t:dir write;
allow mysqld_t user_home_t:file write;

This looks strange?  Do you have a mysql database in a homedir?

#============= named_conf_t ==============
allow named_conf_t proc_t:filesystem associate;

Fixed in selinux-policy-2.6.4-13.fc7 

#============= named_t ==============
allow named_t named_conf_t:chr_file getattr;

Mislabel?

#============= postfix_master_t ==============
allow postfix_master_t etc_t:file execute;
allow postfix_master_t var_run_t:file { read lock getattr write };

Mislabel?
#============= restorecon_t ==============
allow restorecon_t proc_kcore_t:file getattr;
allow restorecon_t proc_kmsg_t:file getattr;
allow restorecon_t proc_mdstat_t:file getattr;
allow restorecon_t self:dir relabelfrom;
allow restorecon_t self:file relabelfrom;
allow restorecon_t self:lnk_file relabelfrom;
allow restorecon_t sysctl_dev_t:file read;
allow restorecon_t sysctl_fs_t:file read;
allow restorecon_t sysctl_kernel_t:file read;
allow restorecon_t sysctl_net_t:file read;
allow restorecon_t sysctl_t:file read;
allow restorecon_t sysctl_vm_t:file read;


#============= smbd_t ==============
allow smbd_t samba_log_t:file append;

Fixed in selinux-policy-2.6.4-13.fc7 
#============= unconfined_t ==============
allow unconfined_t usr_t:file execmod;

chcon -t textrel_shlib_t LIBRARY.

Comment 2 Daniel Rowe 2007-06-05 11:20:09 UTC
Created attachment 156209 [details]
Dovecot selinux audit log

This is a grep of the dovecot deny messages from the /var/log/audit/audit.log
file.

Comment 3 Daniel Rowe 2007-06-05 11:26:39 UTC
I have don a relabel of the file system and the only problem is the dovecot
denies other than the problems fixed in selinux-policy-2.6.4-13.fc7 which I will
wait for.

Comment 4 Daniel Walsh 2007-06-05 12:04:50 UTC
selinux-policy-2.6.4-13.fc7 should be available in fedora-testing today.


Note You need to log in before you can comment on or make changes to this bug.