Justin Willmert wrote:
Justin Willmert wrote:
Paul Howarth wrote:
On Sun, 2006-01-29 at 22:52 -0600, Justin Willmert wrote:
Ivan Gyurdiev wrote:
I'm cc-ing this to the fedora-selinux-list. I think some of the
problems may be applicable there.
OK, after some more testing, when I disable SELinux, many of the
errors go away. First of all, I get rid of the error message
saying user can not be found and with it the 'still running as
root' error. Second, it is able to access the bayes_journal file
(as long as normal unix permissions are right, which I've figured
out). So I guess the problem is an SELinux issue which I can't
solve. I'd attach some avc error messages, but I can't seem to
find any. I've looked in maillog, secure, and messages, but nothing.
Have you looked in the audit log, where all such messages are
usually found ?
/var/log/audit.log
Below is what showed up in audit/audit.log when I sent a message
through
spamassassin. I'm _*really*_ rusty on SELinux...it's the one thing I
have to deal with quite often that I haven't been able to learn how to
use...it's so foreign to me. I've never looked in audit.log before: the
avc messages used to show up in messages, but now as far back as my
logs
go, I don't have a single avc message. This all looks like jibberish to
me, so I need your guy's help.
Thanks,
Justin
type=AVC msg=audit(1138596151.681:104174): avc: denied {
name_connect } for pid=23796 comm="spamd" dest=389
scontext=root:system_r:spamd_t
tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
< clipped >
Are you using LDAP for authentication or to handle mail accounts?
Paul.
No, I am not using LDAP in spamassassin itself (there are ldap
arguments to spamd and I'm not using those), but my system uses LDAP
authentication through nsswitch/pam (whatever the distinction is).
Does spamd need to know my ldap server's information?
I believe I found a temporary work around for the bayes files: I put
them in a non-standard location (/etc/mail/bayes/) because I wanted a
system-wide database (some users don't get enough spam to warrant
their own database). I found if I set /etc/mail/bayes/ to
user_home_dir_t and /etc/mail/bayes/* to user_home_t that the denied
messages for files are gone (if I'm reading the logs right). I don't
see the file denial messages in the log output I put above, but they
are in audit.log and in the latest test, they aren't there so I'm
hoping I'm looking into all of this right. If you want me to confirm
all of this, I can reset the directory context and do some tests, then
set up the directory context again and compare that result, somebody
just has to ask.
Now I've just got to solve the LDAP messages. I'll try to look into
this a bit, but I'm probably going to need the help, so thanks to all
those who take time to reply.
Justin
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I've got a question about how SELinux works underneath. I'm doing a lot
of speculating based on the few things I think I know, so correct me
when I'm wrong.
When SpamAssassin wants to get the user information, it probably uses a
system call that is controlled through /etc/nsswitch.conf (I've seen the
call before, but can't think of it off the top of my head). That in turn
would connect to my LDAP server and authenticate the user and download
its profile information. The nsswitch libraries would be in
SpamAssassin's process space (if I understand linux programming
correctly), so that would mean that if SpamAssassin is under an SELinux
context, then the nsswitch libraries would be too. Would this be where
I'm getting denied messages for ldap_port_t messages from?
Yes.
If I've thought this through correctly and this is a problem, would
somebody tell me so that I can post a bugzilla report? I'll search
bugzilla later to make sure that it's not already in there (I've got to
go to school so I don't really have time to do it right now).
Yes just adding the AVC messages to the bugzilla would be fine.
Thanks to all those who've helped!
Justin
