Bug 242217 - Lots of selinux deny on new F7 install
Lots of selinux deny on new F7 install
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-02 05:07 EDT by Daniel Rowe
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-14 07:46:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Dovecot selinux audit log (1.18 MB, text/plain)
2007-06-05 07:20 EDT, Daniel Rowe
no flags Details

  None (edit)
Description Daniel Rowe 2007-06-02 05:07:27 EDT
Description of problem:

After fresh install of F7 there are a large number of selinux denies. A number
of system daemons will not work due to this. Unable to get Dovecot to run in
default setup due to this. There seems to be no options in F7 to disable selinux
on daemons, in previous FC versions options to disable selinux on dovecot was
available via booleans which I can not find in F7. 

I have never had a problem with selinux in the past (other then a bit of tuning)
and have used it since inclusion in FC.

[root@bajor selinux]# audit2allow -i /var/log/audit/audit.log


#============= dovecot_auth_t ==============
allow dovecot_auth_t self:capability audit_write;
allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };

#============= ldconfig_t ==============
allow ldconfig_t var_log_t:file write;

#============= locate_t ==============
allow locate_t default_t:chr_file getattr;
allow locate_t file_t:chr_file getattr;

#============= logwatch_t ==============
allow logwatch_t samba_share_t:file getattr;

#============= mysqld_t ==============
allow mysqld_t user_home_dir_t:dir write;
allow mysqld_t user_home_t:file write;

#============= named_conf_t ==============
allow named_conf_t proc_t:filesystem associate;

#============= named_t ==============
allow named_t named_conf_t:chr_file getattr;

#============= postfix_master_t ==============
allow postfix_master_t etc_t:file execute;
allow postfix_master_t var_run_t:file { read lock getattr write };

#============= restorecon_t ==============
allow restorecon_t proc_kcore_t:file getattr;
allow restorecon_t proc_kmsg_t:file getattr;
allow restorecon_t proc_mdstat_t:file getattr;
allow restorecon_t self:dir relabelfrom;
allow restorecon_t self:file relabelfrom;
allow restorecon_t self:lnk_file relabelfrom;
allow restorecon_t sysctl_dev_t:file read;
allow restorecon_t sysctl_fs_t:file read;
allow restorecon_t sysctl_kernel_t:file read;
allow restorecon_t sysctl_net_t:file read;
allow restorecon_t sysctl_t:file read;
allow restorecon_t sysctl_vm_t:file read;

#============= smbd_t ==============
allow smbd_t samba_log_t:file append;

#============= unconfined_t ==============
allow unconfined_t usr_t:file execmod;


Version-Release number of selected component (if applicable):


selinux-policy-targeted-2.6.4-8.fc7
libselinux-python-2.0.13-1.fc7
selinux-policy-2.6.4-8.fc7
libselinux-devel-2.0.13-1.fc7
libselinux-2.0.13-1.fc7
libselinux-2.0.13-1.fc7
libselinux-devel-2.0.13-1.fc7
Comment 1 Daniel Walsh 2007-06-04 12:23:19 EDT
Please attach the log file.


#============= dovecot_auth_t ==============
allow dovecot_auth_t self:capability audit_write;
allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read };

Fixed in selinux-policy-2.6.4-13.fc7 

#============= ldconfig_t ==============
allow ldconfig_t var_log_t:file write;

What file is this?  Looks like a mislabel.
#============= locate_t ==============
allow locate_t default_t:chr_file getattr;
allow locate_t file_t:chr_file getattr;

Looks like a mislabel.  restorecon -R -v /root

#============= logwatch_t ==============
allow logwatch_t samba_share_t:file getattr;

#============= mysqld_t ==============
allow mysqld_t user_home_dir_t:dir write;
allow mysqld_t user_home_t:file write;

This looks strange?  Do you have a mysql database in a homedir?

#============= named_conf_t ==============
allow named_conf_t proc_t:filesystem associate;

Fixed in selinux-policy-2.6.4-13.fc7 

#============= named_t ==============
allow named_t named_conf_t:chr_file getattr;

Mislabel?

#============= postfix_master_t ==============
allow postfix_master_t etc_t:file execute;
allow postfix_master_t var_run_t:file { read lock getattr write };

Mislabel?
#============= restorecon_t ==============
allow restorecon_t proc_kcore_t:file getattr;
allow restorecon_t proc_kmsg_t:file getattr;
allow restorecon_t proc_mdstat_t:file getattr;
allow restorecon_t self:dir relabelfrom;
allow restorecon_t self:file relabelfrom;
allow restorecon_t self:lnk_file relabelfrom;
allow restorecon_t sysctl_dev_t:file read;
allow restorecon_t sysctl_fs_t:file read;
allow restorecon_t sysctl_kernel_t:file read;
allow restorecon_t sysctl_net_t:file read;
allow restorecon_t sysctl_t:file read;
allow restorecon_t sysctl_vm_t:file read;


#============= smbd_t ==============
allow smbd_t samba_log_t:file append;

Fixed in selinux-policy-2.6.4-13.fc7 
#============= unconfined_t ==============
allow unconfined_t usr_t:file execmod;

chcon -t textrel_shlib_t LIBRARY.
Comment 2 Daniel Rowe 2007-06-05 07:20:09 EDT
Created attachment 156209 [details]
Dovecot selinux audit log

This is a grep of the dovecot deny messages from the /var/log/audit/audit.log
file.
Comment 3 Daniel Rowe 2007-06-05 07:26:39 EDT
I have don a relabel of the file system and the only problem is the dovecot
denies other than the problems fixed in selinux-policy-2.6.4-13.fc7 which I will
wait for.
Comment 4 Daniel Walsh 2007-06-05 08:04:50 EDT
selinux-policy-2.6.4-13.fc7 should be available in fedora-testing today.

Note You need to log in before you can comment on or make changes to this bug.