 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Mon, 17 Jul 2017 20:44:48 +0200 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
I think he maybe meant audit2allow? Which you would need this package
for: policycoreutils-python
On 07/17/2017 08:39 PM, Stephen Isard wrote:
> Thanks, but I can't find audit2text in the sl7 or epel repositories.
> "yum search audit2text" and "yum provides '*/audit2text'" both come up
> blank. Can you tell me where to get it?
>
> On Mon, 17 Jul 2017, Paul Robert Marino prmarino1-at-gmail.com
> |Scientific Linux| wrote:
>
>> It looks like you may be right that it's /proc/net
>>
>> Have you tried using the python audit tools such as audit2text to
>> analyze them they can make it a lot easier to understand what's going
>> on, though they usually don't tell you if there is a bool you can
>> flip to fix it.
>> That tool still needs to be written :)
>> Original Message
>> From: [log in to unmask]
>> Sent: July 17, 2017 2:16 PM
>> To: [log in to unmask]
>> Subject: selinux preventing access to directory net
>>
>> On two SL7.3 systems where I have set exim as my mta alternative, I
>> am getting a lot of entries in /var/log/messages saying "SELinux is
>> preventing /usr/bin/exim from search access on the directory net",
>> with the usual accompanying "if you believe that exim should be
>> allowed..." stuff, but the logs don't explain what call to exim
>> triggered the messages.
>>
>> Sealert -l tells me
>>
>> Raw Audit Messages
>> type=AVC msg=audit(1500313603.937:268): avc: denied { search } for
>> pid=3097 comm="exim" name="net" dev="proc" ino=7154
>> scontext=system_u:system_r:exim_t:s0
>> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
>>
>> type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open
>> success=no exit=EACCES a0=7ff03baef4b0 a1=80000 a2=1b6 a3=24 items=0
>> ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0
>> egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim
>> exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null)
>>
>> which doesn't seem to be much help.
>>
>> Searches turn up two Centos 7 reports,
>> https://bugs.centos.org/view.php?id=13247 and
>> https://bugs.centos.org/view.php?id=12913 that look as if they might
>> be the same thing with different mta alternatives, but no response to
>> either.
>>
>> All that the mta is supposed to be doing on these systems is
>> reporting the output of cron jobs, and that appears to be happening
>> correctly, so I am puzzled as to what this is about. I'm not even
>> sure what net directory is being referred to. /proc/net? Does an
>> mta need to look in that directory? I can send mail internally, to
>> and from my local user and root, and that doesn't provoke selinux
>> messages in the logs.
>>
>> Any suggestions for where to look?
>>
>> Thanks,
>>
>> Stephen Isard
|
|
|
