spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Toby Goodwin <t...@paccrat.org>
Subject Re: spamd Will Not Create unix:socket
Date Tue, 28 Nov 2017 08:54:38 GMT
>I am really trying to not turn off SELinux with this server, and only have this one showstopper
error.  But I don't know what to do with this gibberish:

Here's an extract from a page I wrote about SELinux (not currently published, or I could just
send you the link).

--->8--- 
This is where it can get a bit hairy. I recommend creating /root/selinux as a scratchpad to
work in, and as a record of what changes have been made.

First, copy and paste lines from the log into a file called thing0.log where thing is a mnemonic
name for what you're trying to enable. In this example, thing is smartd

root# cd; mkdir selinux; cd selinux
root# cat > smartd0.log
type=AVC msg=audit(1425551687.181:491): avc:  denied  { getattr } for  pid=20943 comm="smartd"
path="/usr/lib64/libstdc++.so.6.0.19" dev="dm-1" ino=134323340 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1425551687.181:492): avc:  denied  { execute } for  pid=20943 comm="smartd"
path="/usr/lib64/libstdc++.so.6.0.19" dev="dm-1" ino=134323340 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file

Next, see what allowing this would look like

root# audit2allow < smartd0.log
#============= fsdaemon_t ==============
allow fsdaemon_t file_t:file { getattr execute };

Assuming this looks vaguely sane, generate a loadable module that will allow the access

root# audit2allow -M smartd0 < smartd0.log

And then load that module, using the command it just told you (annoyingly, this step takes
on the order of 10s)

root# semodule -i smartd0.pp

What you'll typically find is that whatever you were trying to do now fails at the next step.
For example, you might have just allowed getattr access, but the next thing the program needs
to do is open the file. Repeat the process with thing1.log. This does get a bit annoying,
but I don't think I've ever taken more than about 3 or 4 steps.

Note that not everything forbidden by SELinux needs to be allowed. Quite often programs will
happily run, despite generating a few warnings in the log.
---8<---

Hope this helps!

Toby.

Mime
View raw message