[solved] semanage/restorecon/audit2allow apparently not working

Support for security such as Firewalls and securing linux
Post Reply
MartinR
Posts: 622
Joined: 2015/05/11 07:53:27
Location: UK

[solved] semanage/restorecon/audit2allow apparently not working

Post by MartinR » 2020/04/16 11:51:44

I say "apparently", since I'm sure I'm doing something daft.

In my home directory on a client machine I have a .forward file, but SELinux is causing problems. The permissions are set correctly (I believe):

Code: Select all

# ls -ld /local /local/XXX /local/XXX/.forward
drwxr-xr-x.  3 root root   17 Mar 18 10:54 /local
drwxr-xr-x. 16 XXX  XXX 4096 Apr 16 11:10 /local/XXX
-rw-r--r--.  1 XXX  XXX    15 Apr 16 10:55 /local/XXX/.forward
I ran up cockpit on the machine and sure enough, SELinux was blocking things: SELinux is preventing local from open access on the file /local/jmr/.forward. Two suggestions were made:
  • "If you want to allow local to have open access on the .forward file": # semanage fcontext -a -t FILE_TYPE '/local/XXX/.forward' followed by restorecon -v '/local/XXX/.forward' The list of file types is extensive and shown below.
  • "If you believe that local should be allowed open access on the .forward file by default": # ausearch -c 'local' --raw | audit2allow -M my-local followed by # semodule -i my-local.pp
Normally I just use the second of these, but it doesn't seem to work in this case. As soon as I send a mail message the error reappears. I also tried:

Code: Select all

# semanage fcontext -a -t mail_home_t .forward
# echo $?
0
# restorecon -v .forward
# echo $?
0
# ls -lZ .forward
-rw-r--r--. XXX XXX unconfined_u:object_r:default_t:s0 .forward
I've tried both fixes as both root and the user. The only difference is that the user has the error message "ValueError: SELinux policy is not managed or store cannot be accessed" returned to the semanage command.

I'm trying to cooperate with SELinux on this machine instead of turning it off as normal.
--------------------------------------------------------
List of suggested filetypes:
NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, alsa_home_t, alsa_tmp_t, amanda_tmp_t, anon_inodefs_t, antivirus_exec_t, antivirus_home_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, audio_home_t, auditadm_sudo_tmp_t, auth_home_t, automount_tmp_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, cache_home_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, chrome_sandbox_home_t, chrome_sandbox_tmp_t, chronyd_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_tmp_t, cobbler_tmp_t, cockpit_tmp_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, config_home_t, conman_tmp_t, container_home_t, container_runtime_tmp_t, couchdb_tmp_t, courier_exec_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_home_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, data_home_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbus_home_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dnsmasq_tmp_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_exec_t, dovecot_deliver_tmp_t, dovecot_spool_t, dovecot_tmp_t, drbd_tmp_t, dspam_exec_t, etc_aliases_t, etc_mail_t, etc_runtime_t, etc_t, exim_exec_t, exim_tmp_t, fail2ban_tmp_t, fenced_tmp_t, fetchmail_home_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fonts_cache_t, fonts_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, ganesha_tmp_t, gconf_home_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_script_tmp_t, git_user_content_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gnome_home_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpg_secret_t, gpm_tmp_t, gssd_tmp_t, gstreamer_home_t, home_bin_t, home_cert_t, hostname_etc_t, hsqldb_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, icc_data_home_t, iceauth_home_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipa_tmp_t, ipsec_tmp_t, iptables_tmp_t, irc_home_t, irc_tmp_t, irssi_home_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_home_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_home_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, local_login_home_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_home_rw_t, mail_home_t, mail_munin_plugin_tmp_t, mail_spool_t, mailman_cgi_tmp_t, mailman_data_t, mailman_log_t, mailman_mail_exec_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mandb_home_t, mdadm_tmp_t, mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_home_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_home_t, mpd_tmp_t, mpd_user_data_t, mplayer_home_t, mplayer_tmpfs_t, mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_home_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nfs_t, nova_tmp_t, nsd_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, opendnssec_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openshift_var_lib_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, oracleasm_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pcp_var_lib_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, piranha_web_tmp_t, pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, polipo_cache_home_t, polipo_config_home_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_etc_t, postfix_exec_t, postfix_local_exec_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_spool_t, postfix_var_run_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_exec_t, procmail_home_t, procmail_tmp_t, prosody_tmp_t, psad_tmp_t, pulseaudio_home_t, pulseaudio_tmpfs_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, rabbitmq_tmp_t, racoon_tmp_t, realmd_tmp_t, redis_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rkhunter_var_lib_t, rlogind_home_t, rlogind_tmp_t, rpcbind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rssh_ro_t, rssh_rw_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sandbox_file_t, sbd_tmpfs_t, sblim_tmp_t, screen_home_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_exec_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_exec_t, spamc_home_t, spamc_tmp_t, spamd_tmp_t, speech-dispatcher_home_t, speech-dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_home_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_tmp_t, svirt_home_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysctl_fs_t, sysctl_t, sysfs_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, systemd_home_t, targetd_tmp_t, tcpd_tmp_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_logger_tmp_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_home_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, texlive_home_t, textrel_shlib_t, tgtd_tmp_t, thumb_home_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_home_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, udev_var_run_t, uml_ro_t, uml_rw_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, uux_exec_t, var_spool_t, varnishd_tmp_t, virt_content_t, virt_home_t, virt_qemu_ga_tmp_t, virt_tmp_t, virt_var_lib_t, vmtools_tmp_t, vmware_conf_t, vmware_file_t, vmware_host_tmp_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, webadm_tmp_t, webalizer_tmp_t, wine_home_t, wireshark_home_t, wireshark_tmp_t, wireshark_tmpfs_t, xauth_home_t, xauth_tmp_t, xdm_home_t, xend_tmp_t, xenstored_tmp_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_exec_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t
Last edited by MartinR on 2020/04/21 08:23:09, edited 1 time in total.

aks
Posts: 3045
Joined: 2014/09/20 11:22:14

Re: semanage/restorecon/audit2allow apparently not working

Post by aks » 2020/04/21 06:59:35

AFAIK, file labels are in /etc/selinux/targeted/contexts/files/ (MLS are listed in /etc/selinux/targeted/setrans.conf too I think). The semanage fcontext command will use pattern patching to match whatever you (-a add or -d delete) to filespec argument. If the pattern doesn't match, I think it'll do jack.

These se labels are stored in extended attributes, so it's just a question of changing the attribute(s) to match the intent. If you know what label you need then change that file to match. Because it's email, it's a bit complex (why wouldn't it be?) So there are various labels that match (for example fetchmail, procmail, sendmail etc) so what program(s) you are using to forward the mail can come into play.

I'd just "force" the change with the chcon command and if that allows the intent, sort out semanage fcontext later (or maybe not at all).

MartinR
Posts: 622
Joined: 2015/05/11 07:53:27
Location: UK

Re: semanage/restorecon/audit2allow apparently not working

Post by MartinR » 2020/04/21 08:22:47

That's the ticket:

Code: Select all

# ls --lcontext .forward
-rw-r--r--. 1 unconfined_u:object_r:default_t:s0 XXX XXX 15 Apr 16 10:55 .forward
# chcon -t mail_home_t .forward
# ls --lcontext .forward
-rw-r--r--. 1 unconfined_u:object_r:mail_home_t:s0 XXX XXX 15 Apr 16 10:55 .forward
Now when I turn SELinux back on the mail gets through. I must say that SELinux seems to go out of it's way to make life difficult, it is not surprising that the first step in handling any problem is to turn it off temporarily or permanently. It may make sense for MLS systems handling state secrets, but for retired Joe Public running a domestic system it's a right PIA.

Post Reply

Return to “CentOS 7 - Security Support”