Problem with administration SELinux in Fedora 7

[Alex_Saf]

Hello!

At me a problem with administration SELinux in Fedora 7. In my opinion, there are not enough boolean-values in comparison with Fedora Core 6. On an example, completely there are no values of a kind <daemon_name> _disable_trans which are responsible for on/off-switching of protection for any service.

So in particular, at me a problem with access to DB MySQL of a demon postfix in my post system. And disable protection SELinux for mysqld I cannot. It is possible to disconnect only SELinux entirely.

I ask to help.

Error log:
Jul 23 16:59:37 prima1 kernel: audit(1185195577.168:78): avc: denied { search } for pid=2252 comm="smtpd" name="mysql" dev=dm-6 ino=10879009 scontext=system_u:system_rostfix_sm
tpd_t:s0 tcontext=system_ubject_r:mysqld_db_t:s0 tclass=dir

[domg472]

You can allow this access however i suspect that postfix may require more access:

1. make sure the system is safe and put selinux into permissive mode.

/usr/sbin/setenforce 0

2. start with a clean /var/log/audit/audit.log

echo "" > /var/log/audit/audit.log

3. reproduce your issue with postfix. try to do whatever it requires.

(run postfix)

4. once done put the system back in enforcing mode.

/usr/sbin/setenforce 1

5. now collect all the new avc denials and create a new module.

/sbin/ausearch -m avc -ts today | audit2allow -M mypostfix

6. review your new generated module (mypostfix.te file)

less mypostfix.te

7. if satisfied load the new module into the system

/usr/sbin/semodule -i mypostfix.pp

Note: Fedora Core 7 is "end of life". This means that you will not receive any new policy improvements from fedora. To stay up to date with policy it is best to upgrade.

[JohnVV]

domg472, Alex_Saf posted that in 07 ( 2007-07-24, 03:18 AM)