[Triumf-linux-managers] Anyone not turning off SELinux ?

Chris Payne chris.payne at triumf.ca
Tue Oct 7 09:44:23 PDT 2008 

On Mon, Oct 06, 2008 at 06:32:38PM -0700, Kel Raywood wrote:
> Andrew Daviel wrote:
> >I just wondered if anyone was successfully living with SELinux in 
> >enforcing mode.
> 
> However, it is servers such as web, database, print, ... that are most 
> likely to be affected by SELinux (by design) and the TRIUMF kickstarts do 
> not install any of these packages.  If you've installed and configured any 
> server-packages and use SELinux or have since disabled it, then we'd like to 
> hear about your experience.

I have had similar experiences with SELinux on my desktop, but always mean to 
look into it. It seems there are tools to help setup the system, ie:

> man audit2allow

AUDIT2ALLOW(1)                        NSA                      AUDIT2ALLOW(1)

NAME
	audit2allow  -  generate SELinux policy allow rules from logs of denied 
operations

<snip>

etc. There was a thread on the CentOS list about this recently, I have 
attached a message below with a link to their howto.

http://wiki.centos.org/HowTos/SELinux

I have not tried this myself.

HTH
Chris
--
Chris Payne			chris.payne at triumf.ca
TRIUMF ATLAS Tier-1 System Administrator - Networking
TRIUMF				+1 604 222 7554
4004 Wesbrook Mall, Vancouver, BC, V6T2A3, CANADA




----- Forwarded message from Ned Slider <ned at unixmail.co.uk> -----

Delivered-To: centos at centos.org
Date: Sun, 05 Oct 2008 11:07:54 +0100
From: Ned Slider <ned at unixmail.co.uk>
User-Agent: Thunderbird 2.0.0.17 (X11/20080914)
To: CentOS mailing list <centos at centos.org>
Subject: Re: [CentOS] problem talking to server postgrey/socket: Permission
	denied
In-Reply-To: <43426F6174DF4816DC76C076 at file.wkd-druck.org>
Precedence: list
Reply-To: CentOS mailing list <centos at centos.org>
Errors-To: centos-bounces at centos.org

Dirk H. Schulz wrote:
>Hi folks,
>
>I have installed postgrey from the rpmforge repo, but it does not work 
>well with postfix from CentOS 5.2: I always get the error:
>
>warning: connect to postgrey/socket: Permission denied
>problem talking to server postgrey/socket: Permission denied
>
>But the permissions on the socket seem okay (postfix could write to it):
>srw-rw-rw- 1 postgrey postgrey        0  4. Okt 14:48 socket
>
>I also tried "restorecon -R /var/spool/postfix/postgrey", but that did 
>not change anything, either.
>
>Googling does not show anything recent and helpful. Any hint or help is 
>appreciated.
>
>Dirk
>

Hi Dirk,

You're correct in your assumption that this is an SELinux issue. You 
need to write a custom policy to allow connection and writing to the socket.

How to do this is covered in the SELinux Wiki guide here:

http://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01

and luckily for you, the example used is for postgrey/postfix so you can 
use the example provided.

Hope that helps.

_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos


----- End forwarded message -----

More information about the Triumf-linux-managers mailing list