How can this happen? It's getting denied, but not appearing in either the audit log or the messages file. Running Centos 6 fully updated, php (drupal) inside of httpd tries to send mail via postfix (postdrop).
When I have setenforce 0, the mail goes through. No errors in any logs (audit.log, error_log, messages)
When I have setenforce 1, the mail gets blocked. I get this message in httpd error_log:
sendmail: fatal: execvp /usr/sbin/postdrop: Permission denied
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 1
sendmail: fatal: email@example.com(48): unable to execute /usr/sbin/postdrop -r: Success
I have auditd running. In fact, I regularly use audit2allow to create allow policies on this machine. So I can confidently say normally my selinux denials get logged in the audit.log. I am at a loss to think of any reason this particular failure is not getting logged the same way my other error messages usually get logged.
I believe I can write a custom allow script by hand, but I believe I probably shouldn't, or if I try, it will fail for some reason.
Thanks for your help...
On Wed, 28 Dec 2011 18:04:30 -0500 Edward Ned Harvey selinuxadmin@clevertrove.com wrote:
How can this happen? It's getting denied, but not appearing in either the audit log or the messages file. Running Centos 6 fully updated, php (drupal) inside of httpd tries to send mail via postfix (postdrop).
When I have setenforce 0, the mail goes through. No errors in any logs (audit.log, error_log, messages)
When I have setenforce 1, the mail gets blocked. I get this message in httpd error_log:
sendmail: fatal: execvp /usr/sbin/postdrop: Permission
denied
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 1
sendmail: fatal: email@example.com(48): unable to execute /usr/sbin/postdrop -r: Success
I have auditd running. In fact, I regularly use audit2allow to create allow policies on this machine. So I can confidently say normally my selinux denials get logged in the audit.log. I am at a loss to think of any reason this particular failure is not getting logged the same way my other error messages usually get logged.
I believe I can write a custom allow script by hand, but I believe I probably shouldn't, or if I try, it will fail for some reason.
Thanks for your help...
The denials you're getting are probably being dontaudit-ed. See:
http://danwalsh.livejournal.com/11673.html
Paul.
On Thu, Dec 29, 2011 at 12:15:46AM +0000, Paul Howarth wrote:
On Wed, 28 Dec 2011 18:04:30 -0500 Edward Ned Harvey selinuxadmin@clevertrove.com wrote:
How can this happen? It's getting denied, but not appearing in either the audit log or the messages file. Running Centos 6 fully updated, php (drupal) inside of httpd tries to send mail via postfix (postdrop).
When I have setenforce 0, the mail goes through. No errors in any logs (audit.log, error_log, messages)
When I have setenforce 1, the mail gets blocked. I get this message in httpd error_log:
sendmail: fatal: execvp /usr/sbin/postdrop: Permission
denied
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 1
sendmail: fatal: email@example.com(48): unable to execute /usr/sbin/postdrop -r: Success
I have auditd running. In fact, I regularly use audit2allow to create allow policies on this machine. So I can confidently say normally my selinux denials get logged in the audit.log. I am at a loss to think of any reason this particular failure is not getting logged the same way my other error messages usually get logged.
I believe I can write a custom allow script by hand, but I believe I probably shouldn't, or if I try, it will fail for some reason.
Thanks for your help...
The denials you're getting are probably being dontaudit-ed. See:
... try to find a selinux errors: grep -i err /var/log/audit/audit.log or switch noaudit off: semodule -BD Regards Adam Przybyla
From: selinux-bounces@lists.fedoraproject.org [mailto:selinux- bounces@lists.fedoraproject.org] On Behalf Of Paul Howarth
The denials you're getting are probably being dontaudit-ed. See:
Perfect. Awesome. Thank you. :-)
On 12/30/2011 03:14 PM, Edward Ned Harvey wrote:
From: selinux-bounces@lists.fedoraproject.org [mailto:selinux- bounces@lists.fedoraproject.org] On Behalf Of Paul Howarth
The denials you're getting are probably being dontaudit-ed. See:
Perfect. Awesome. Thank you. :-)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What AVC msgs are you getting?
From: Miroslav Grepl [mailto:mgrepl@redhat.com] Sent: Monday, January 02, 2012 7:59 AM
On 12/30/2011 03:14 PM, Edward Ned Harvey wrote:
From: selinux-bounces@lists.fedoraproject.org [mailto:selinux- bounces@lists.fedoraproject.org] On Behalf Of Paul Howarth
The denials you're getting are probably being dontaudit-ed. See:
Perfect. Awesome. Thank you. :-)
What AVC msgs are you getting?
I was getting none. But thanks to the suggestion about dontaudit, it's problem solved now.
Thank you.
selinux@lists.fedoraproject.org