LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: selinux preventing access to directory net
From:	Stephen Isard <[log in to unmask]>
Reply To:	Stephen Isard <[log in to unmask]>
Date:	Mon, 17 Jul 2017 14:39:49 -0400
Content-Type:	multipart/mixed
Parts/Attachments:	text/plain (2672 bytes)

Thanks, but I can't find audit2text in the sl7 or epel repositories.
"yum search audit2text" and "yum provides '*/audit2text'" both come up 
blank.  Can you tell me where to get it?

On Mon, 17 Jul 2017, Paul Robert Marino prmarino1-at-gmail.com |Scientific Linux| wrote:

> It looks like you may be right that it's /proc/net
>
> Have you tried using the python audit tools such as audit2text to analyze them they can make it a lot easier to understand what's going on, though they usually don't tell you if there is a bool you can flip to fix it.
> That tool still needs to be written :)
>   Original Message  
> From: [log in to unmask]
> Sent: July 17, 2017 2:16 PM
> To: [log in to unmask]
> Subject: selinux preventing access to directory net
>
> On two SL7.3 systems where I have set exim as my mta alternative, I am 
> getting a lot of entries in /var/log/messages saying "SELinux is 
> preventing /usr/bin/exim from search access on the directory net", with 
> the usual accompanying "if you believe that exim should be allowed..." 
> stuff, but the logs don't explain what call to exim triggered the 
> messages.
>
> Sealert -l tells me
>
> Raw Audit Messages
> type=AVC msg=audit(1500313603.937:268): avc:  denied { search } for 
> pid=3097 comm="exim" name="net" dev="proc" ino=7154 
> scontext=system_u:system_r:exim_t:s0 
> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
>
> type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open 
> success=no exit=EACCES a0=7ff03baef4b0 a1=80000 a2=1b6 a3=24 items=0 
> ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 
> egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim 
> exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null)
>
> which doesn't seem to be much help.
>
> Searches turn up two Centos 7 reports,
> https://bugs.centos.org/view.php?id=13247 and 
> https://bugs.centos.org/view.php?id=12913 that look as if they might be 
> the same thing with different mta alternatives, but no response to 
> either.
>
> All that the mta is supposed to be doing on these systems is reporting 
> the output of cron jobs, and that appears to be happening correctly, so 
> I am puzzled as to what this is about.  I'm not even sure what net 
> directory is being referred to.  /proc/net?  Does an mta need to look in 
> that directory?  I can send mail internally, to and from my local user 
> and root, and that doesn't provoke selinux messages in the logs.
>
> Any suggestions for where to look?
>
> Thanks,
>
> Stephen Isard

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV