| 1 |
On Fri, 2003-06-27 at 11:35, Zack Gilburd wrote: |
| 2 |
> <http://tehunlose.com/tmp/sehelp.txt>. The reason why I say it is the most |
| 3 |
> important is because, with the errors provided and while the amavisd.log says |
| 4 |
> that everything is happening okay, I am not quite sure that amavisd is able |
| 5 |
> to do what it *needs* to do (SpamAssassin filtering and clamav/clamd |
| 6 |
> fitlering). |
| 7 |
|
| 8 |
There needs to be a policy for postfix, spamassasin and clam{av,d}. |
| 9 |
We'll soon be working on policies for common daemons. |
| 10 |
|
| 11 |
> The second problem I am having occurs when I enter enforcing mode. I have a |
| 12 |
> proftpd daemon running. When I enter into enforcing mode, my users can no |
| 13 |
> longer authenticate sucessfully, although they can telnet in. If/when they |
| 14 |
> telnet in during enforce mode, their username is accepted but their correct |
| 15 |
> password is rejected. The users are able to SSH in, though, so I am guessing |
| 16 |
> it's a a problem with my policies. |
| 17 |
|
| 18 |
Proftpd will also need its own policy. It's probably running in |
| 19 |
initrc_t right now, and when it goes to authenticate someone, its being |
| 20 |
denied. |
| 21 |
|
| 22 |
> The third problem also occurs during enforce mode. When I try to send mail to |
| 23 |
> myself through telnet (for debugging purposes, I'm not that oldschool ;)), |
| 24 |
> everything *appears* to go through correctly. However, I never receive the |
| 25 |
> mail. I notice no evidence of a problem in any of my log files. In fact, |
| 26 |
> that brings me to my fourth problem. |
| 27 |
|
| 28 |
This is related to the missing postfix policy. |
| 29 |
|
| 30 |
> When I enter enforcing mode, all of my log files stop flowing -- all of them. |
| 31 |
> kern.log, messages, etc., they all just... stop. I am guessing that the log |
| 32 |
> files can not be written under my current policies, but that is just my |
| 33 |
> haphazard guess. |
| 34 |
|
| 35 |
The syslog is most likely not running in the correct context. |
| 36 |
|
| 37 |
> Also, in enforcing mode, I can no longer scp to or from my SELinux box. |
| 38 |
|
| 39 |
Most likely a mislabeled home dir; logging in as staff_r, when your home |
| 40 |
dir is still user_home_(dir_)t. See file_contexts/staff.fc (in the |
| 41 |
policy dir) to see how to fix this. |
| 42 |
|
| 43 |
-- |
| 44 |
Chris PeBenito |
| 45 |
<pebenito@g.o> |
| 46 |
Developer, SELinux |
| 47 |
Hardened Gentoo Linux |
| 48 |
|
| 49 |
"Engineering does not require science. Science helps |
| 50 |
a lot, but people built perfectly good brick walls |
| 51 |
long before they knew why cement works."-Alan Cox |
| 52 |
|
| 53 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 54 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives