Search This Blog

Tuesday, January 15, 2013

selinux - customising policies.

Remember for a server in the Internet SELinux is your friend. But quite often you will need a script to do something that SELinux won't let it.

See how to at:  http://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01

For example spamassassin using the SQL module to load rules from a remote mysql server is blocked by SeLinux. For configuration in /etc/mail/spamassassin/sql.cf
##rules stored in database
#user_scores_dsn                  DBI:mysql:sa_rules:localhost:3306
user_scores_dsn                  DBI:mysql:sa_rules:custweb1.spec-net.com.au:330
6
user_scores_sql_password         sa_password
user_scores_sql_username         sa_user
user_scores_sql_custom_query     SELECT preference, value FROM sa_rules.userpref
 WHERE username = _USERNAME_ OR username = '$GLOBAL' OR username = CONCAT('%',_D
OMAIN_) ORDER BY username ASC

The SELinux audit error is generated:
type=AVC msg=audit(1353316107.945:132): avc:  denied  { name_connect } for  pid=2529 comm="spamd" des
Genrate a local Type Enforcement policy file (spamassassinmysq.te):
[root@specmail2]# grep spamd /var/log/audit/audit.log|tail |audit2allow -m spamassassinmysql > spamassassinmysq.te

This contains the following:
...
#============= spamd_t ==============
allow spamd_t mysqld_port_t:tcp_socket name_connect;
allow spamd_t user_home_dir_t:file getattr;
allow spamd_t var_log_t:lnk_file read;

Having reviewed this generate a module:
[root@specmail2]# grep spamd /var/log/audit/audit.log|tail |audit2allow -M spamassassinmysql
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i spamassassinmysql.pp

then load it as show with semodule.
[root@specmail2]# semodule -i spamassassinmysql.pp

Notes.

If entries are not appearing in /var/log/audit/audit.log, check the auditd service, and configuration in /etc/audit/auditd.conf

No comments:

Post a Comment