See how to at: http://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01
For example spamassassin using the SQL module to load rules from a remote mysql server is blocked by SeLinux. For configuration in /etc/mail/spamassassin/sql.cf
##rules stored in database
#user_scores_dsn DBI:mysql:sa_rules:localhost:3306
user_scores_dsn DBI:mysql:sa_rules:custweb1.spec-net.com.au:330
6
user_scores_sql_password sa_password
user_scores_sql_username sa_user
user_scores_sql_custom_query SELECT preference, value FROM sa_rules.userpref
WHERE username = _USERNAME_ OR username = '$GLOBAL' OR username = CONCAT('%',_D
OMAIN_) ORDER BY username ASC
The SELinux audit error is generated:type=AVC msg=audit(1353316107.945:132): avc: denied { name_connect } for pid=2529 comm="spamd" des
Genrate a local Type Enforcement policy file (spamassassinmysq.te):[root@specmail2]# grep spamd /var/log/audit/audit.log|tail |audit2allow -m spamassassinmysql > spamassassinmysq.te
This contains the following:
... #============= spamd_t ============== allow spamd_t mysqld_port_t:tcp_socket name_connect; allow spamd_t user_home_dir_t:file getattr; allow spamd_t var_log_t:lnk_file read;
Having reviewed this generate a module:
[root@specmail2]# grep spamd /var/log/audit/audit.log|tail |audit2allow -M spamassassinmysql ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i spamassassinmysql.pp
then load it as show with semodule.
[root@specmail2]# semodule -i spamassassinmysql.pp
Notes.
If entries are not appearing in /var/log/audit/audit.log, check the auditd service, and configuration in /etc/audit/auditd.conf
No comments:
Post a Comment