I know that F8 is not supported, but I need help in knowing how to get SELinux to permanently bypass spamass-milter denials. I just cannot upgrade this F8 machine right now as it is my main email server.
The following is generated by the command: # service spamass-milter start: [OK] is generated, but the errors are shown in /var/log/audit/audit.log:
type=AVC msg=audit(1264646701.440:1750): avc: denied { execute } for pid=13694 comm="spamass-milter" name="spamc" dev=sda3 ino=4688447 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1264646701.440:1750): arch=40000003 syscall=11 success=no exit=-13 a0=8058507 a1=968fa20 a2=bf95526c a3=1 items=0 ppid=13056 pid=13694 auid=500 uid=600 gid=600 euid=600 suid=600 fsuid=600 egid=600 sgid=600 fsgid=600 tty=(none) ses=186 comm="spamass-milter" exe="/usr/sbin/spamass-milter" subj=unconfined_u:system_r:spamd_t:s0 key=(null) type=USER_START msg=audit(1264646735.400:1751): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=CRED_ACQ msg=audit(1264646735.400:1752): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=CRED_DISP msg=audit(1264646738.120:1753): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=USER_END msg=audit(1264646738.122:1754): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)'
Of course, shutting down spamass-milter will fail:
# service spamass-milter stop [FAILED] is generated, because /var/run/spamass-milter/spamass-milter.sock is not created.
Interestingly, if one issues:
# setenforce 0 # service spamass-milter start [OK] is generated # service spamass-milter stop [OK] is generated # setenforce 1
And, /var/run/spamass-milter/spamass-milter.sock is created.
However, sendmail with spamass-milter enabled results in permission denied because security context is enabled.
So, can someone please give me instructions so that I can permanently bypass spamass-milter audit?
Thanks! Dan
On Wed, Jan 27, 2010 at 19:24:16 -0800, Dan Thurman dant@cdkkt.com wrote:
I know that F8 is not supported, but I need help in knowing how to get SELinux to permanently bypass spamass-milter denials. I just cannot upgrade this F8 machine right now as it is my main email server.
You can use audit2allow to generate a set of rules for a local policy module (assuming this worked in F8, it's been a while) and load that module using the instructions in the audit2allow man page.
On 28/01/10 03:24, Dan Thurman wrote:
I know that F8 is not supported, but I need help in knowing how to get SELinux to permanently bypass spamass-milter denials. I just cannot upgrade this F8 machine right now as it is my main email server.
The following is generated by the command: # service spamass-milter start: [OK] is generated, but the errors are shown in /var/log/audit/audit.log:
type=AVC msg=audit(1264646701.440:1750): avc: denied { execute } for pid=13694 comm="spamass-milter" name="spamc" dev=sda3 ino=4688447 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1264646701.440:1750): arch=40000003 syscall=11 success=no exit=-13 a0=8058507 a1=968fa20 a2=bf95526c a3=1 items=0 ppid=13056 pid=13694 auid=500 uid=600 gid=600 euid=600 suid=600 fsuid=600 egid=600 sgid=600 fsgid=600 tty=(none) ses=186 comm="spamass-milter" exe="/usr/sbin/spamass-milter" subj=unconfined_u:system_r:spamd_t:s0 key=(null) type=USER_START msg=audit(1264646735.400:1751): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=CRED_ACQ msg=audit(1264646735.400:1752): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=CRED_DISP msg=audit(1264646738.120:1753): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=USER_END msg=audit(1264646738.122:1754): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)'
Of course, shutting down spamass-milter will fail:
# service spamass-milter stop [FAILED] is generated, because /var/run/spamass-milter/spamass-milter.sock is not created.
Interestingly, if one issues:
# setenforce 0 # service spamass-milter start [OK] is generated # service spamass-milter stop [OK] is generated # setenforce 1
And, /var/run/spamass-milter/spamass-milter.sock is created.
However, sendmail with spamass-milter enabled results in permission denied because security context is enabled.
So, can someone please give me instructions so that I can permanently bypass spamass-milter audit?
For what it's worth, spamass-milter policy was completely rewritten for F-9: https://bugzilla.redhat.com/show_bug.cgi?id=447247
I also have a page regarding spamass-milter and SELinux here: http://mirror.city-fan.org/ftp/contrib/mail/spamass-milter-selinux/
This hasn't been update for quite some time but should be an improvement on F-8 policy.
It's probably worth updating spamass-milter to a current build too - you can get an F-8 one here: http://mirror.city-fan.org/ftp/contrib/mail/
Paul.
On 01/28/2010 01:35 AM, Paul Howarth wrote:
On 28/01/10 03:24, Dan Thurman wrote:
I know that F8 is not supported, but I need help in knowing how to get SELinux to permanently bypass spamass-milter denials. I just cannot upgrade this F8 machine right now as it is my main email server.
The following is generated by the command: # service spamass-milter start: [OK] is generated, but the errors are shown in /var/log/audit/audit.log:
type=AVC msg=audit(1264646701.440:1750): avc: denied { execute } for pid=13694 comm="spamass-milter" name="spamc" dev=sda3 ino=4688447 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1264646701.440:1750): arch=40000003 syscall=11 success=no exit=-13 a0=8058507 a1=968fa20 a2=bf95526c a3=1 items=0 ppid=13056 pid=13694 auid=500 uid=600 gid=600 euid=600 suid=600 fsuid=600 egid=600 sgid=600 fsgid=600 tty=(none) ses=186 comm="spamass-milter" exe="/usr/sbin/spamass-milter" subj=unconfined_u:system_r:spamd_t:s0 key=(null) type=USER_START msg=audit(1264646735.400:1751): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=CRED_ACQ msg=audit(1264646735.400:1752): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=CRED_DISP msg=audit(1264646738.120:1753): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=USER_END msg=audit(1264646738.122:1754): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)'
Of course, shutting down spamass-milter will fail:
# service spamass-milter stop [FAILED] is generated, because /var/run/spamass-milter/spamass-milter.sock is not created.
Interestingly, if one issues:
# setenforce 0 # service spamass-milter start [OK] is generated # service spamass-milter stop [OK] is generated # setenforce 1
And, /var/run/spamass-milter/spamass-milter.sock is created.
However, sendmail with spamass-milter enabled results in permission denied because security context is enabled.
So, can someone please give me instructions so that I can permanently bypass spamass-milter audit?
For what it's worth, spamass-milter policy was completely rewritten for F-9: https://bugzilla.redhat.com/show_bug.cgi?id=447247
I also have a page regarding spamass-milter and SELinux here: http://mirror.city-fan.org/ftp/contrib/mail/spamass-milter-selinux/
This hasn't been update for quite some time but should be an improvement on F-8 policy.
It's probably worth updating spamass-milter to a current build too - you can get an F-8 one here: http://mirror.city-fan.org/ftp/contrib/mail/
Paul.
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Thank you for this information, and I have tried with no hopes of getting spamass-milter to work. F8 is too damaged as far as I can tell. I will need to plan on getting a new hardware system and latest OS to get things where I need them to be.
Thanks, Dan
On 01/27/2010 10:24 PM, Dan Thurman wrote:
I know that F8 is not supported, but I need help in knowing how to get SELinux to permanently bypass spamass-milter denials. I just cannot upgrade this F8 machine right now as it is my main email server.
The following is generated by the command: # service spamass-milter start: [OK] is generated, but the errors are shown in /var/log/audit/audit.log:
type=AVC msg=audit(1264646701.440:1750): avc: denied { execute } for pid=13694 comm="spamass-milter" name="spamc" dev=sda3 ino=4688447 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1264646701.440:1750): arch=40000003 syscall=11 success=no exit=-13 a0=8058507 a1=968fa20 a2=bf95526c a3=1 items=0 ppid=13056 pid=13694 auid=500 uid=600 gid=600 euid=600 suid=600 fsuid=600 egid=600 sgid=600 fsgid=600 tty=(none) ses=186 comm="spamass-milter" exe="/usr/sbin/spamass-milter" subj=unconfined_u:system_r:spamd_t:s0 key=(null) type=USER_START msg=audit(1264646735.400:1751): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=CRED_ACQ msg=audit(1264646735.400:1752): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=CRED_DISP msg=audit(1264646738.120:1753): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=USER_END msg=audit(1264646738.122:1754): user pid=13765 uid=0 auid=500 ses=186 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="sa-milt" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)'
Of course, shutting down spamass-milter will fail:
# service spamass-milter stop [FAILED] is generated, because /var/run/spamass-milter/spamass-milter.sock is not created.
Interestingly, if one issues:
# setenforce 0 # service spamass-milter start [OK] is generated # service spamass-milter stop [OK] is generated # setenforce 1
And, /var/run/spamass-milter/spamass-milter.sock is created.
However, sendmail with spamass-milter enabled results in permission denied because security context is enabled.
So, can someone please give me instructions so that I can permanently bypass spamass-milter audit?
Thanks! Dan
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Just build custom policy using audit2allow.
grep avc /var/log/audit/audit.log | audit2allow -M myspam semodule -i myspam.pp
selinux@lists.fedoraproject.org