1 |
On Fri, 2003-06-27 at 11:35, Zack Gilburd wrote: |
2 |
> <http://tehunlose.com/tmp/sehelp.txt>. The reason why I say it is the most |
3 |
> important is because, with the errors provided and while the amavisd.log says |
4 |
> that everything is happening okay, I am not quite sure that amavisd is able |
5 |
> to do what it *needs* to do (SpamAssassin filtering and clamav/clamd |
6 |
> fitlering). |
7 |
|
8 |
There needs to be a policy for postfix, spamassasin and clam{av,d}. |
9 |
We'll soon be working on policies for common daemons. |
10 |
|
11 |
> The second problem I am having occurs when I enter enforcing mode. I have a |
12 |
> proftpd daemon running. When I enter into enforcing mode, my users can no |
13 |
> longer authenticate sucessfully, although they can telnet in. If/when they |
14 |
> telnet in during enforce mode, their username is accepted but their correct |
15 |
> password is rejected. The users are able to SSH in, though, so I am guessing |
16 |
> it's a a problem with my policies. |
17 |
|
18 |
Proftpd will also need its own policy. It's probably running in |
19 |
initrc_t right now, and when it goes to authenticate someone, its being |
20 |
denied. |
21 |
|
22 |
> The third problem also occurs during enforce mode. When I try to send mail to |
23 |
> myself through telnet (for debugging purposes, I'm not that oldschool ;)), |
24 |
> everything *appears* to go through correctly. However, I never receive the |
25 |
> mail. I notice no evidence of a problem in any of my log files. In fact, |
26 |
> that brings me to my fourth problem. |
27 |
|
28 |
This is related to the missing postfix policy. |
29 |
|
30 |
> When I enter enforcing mode, all of my log files stop flowing -- all of them. |
31 |
> kern.log, messages, etc., they all just... stop. I am guessing that the log |
32 |
> files can not be written under my current policies, but that is just my |
33 |
> haphazard guess. |
34 |
|
35 |
The syslog is most likely not running in the correct context. |
36 |
|
37 |
> Also, in enforcing mode, I can no longer scp to or from my SELinux box. |
38 |
|
39 |
Most likely a mislabeled home dir; logging in as staff_r, when your home |
40 |
dir is still user_home_(dir_)t. See file_contexts/staff.fc (in the |
41 |
policy dir) to see how to fix this. |
42 |
|
43 |
-- |
44 |
Chris PeBenito |
45 |
<pebenito@g.o> |
46 |
Developer, SELinux |
47 |
Hardened Gentoo Linux |
48 |
|
49 |
"Engineering does not require science. Science helps |
50 |
a lot, but people built perfectly good brick walls |
51 |
long before they knew why cement works."-Alan Cox |
52 |
|
53 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
54 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |