Como eu corrijo este erro do SEVinot do SEVinot no audit.log no CentOS?

1

Estou recebendo esses erros do SELinux em /var/log/audit/audit.log para dovecot .

type=USER_AUTH msg=audit(1404794536.249:100679): user pid=28375 uid=0 auid=0 ses=2700 subj=unconfined_u:system_r:dovecot_auth_t:s0 msg='op=PAM:authentication acct="starrychloe" exe="/usr/libexec/dovecot/auth" hostname=99.99.99.99 addr=99.99.99.99 terminal=dovecot res=success'
type=USER_ACCT msg=audit(1404794536.260:100680): user pid=28375 uid=0 auid=0 ses=2700 subj=unconfined_u:system_r:dovecot_auth_t:s0 msg='op=PAM:accounting acct="starrychloe" exe="/usr/libexec/dovecot/auth" hostname=99.99.99.99 addr=99.99.99.99 terminal=dovecot res=success'
type=AVC msg=audit(1404794537.473:100681): avc:  denied  { read } for  pid=30020 comm="imap" name="starrychloe" dev=xvde ino=152404 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1404794537.473:100681): arch=c000003e syscall=2 success=no exit=-13 a0=7fc64f910eb0 a1=0 a2=0 a3=0 items=0 ppid=20321 pid=30020 auid=0 uid=502 gid=501 euid=502 suid=502 fsuid=502 egid=501 sgid=12 fsgid=501 tty=(none) ses=2700 comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
type=USER_AUTH msg=audit(1404794537.925:100682): user pid=28375 uid=0 auid=0 ses=2700 subj=unconfined_u:system_r:dovecot_auth_t:s0 msg='op=PAM:authentication acct="starrychloe" exe="/usr/libexec/dovecot/auth" hostname=99.99.99.99 addr=99.99.99.99 terminal=dovecot res=success'
type=USER_ACCT msg=audit(1404794537.935:100683): user pid=28375 uid=0 auid=0 ses=2700 subj=unconfined_u:system_r:dovecot_auth_t:s0 msg='op=PAM:accounting acct="starrychloe" exe="/usr/libexec/dovecot/auth" hostname=99.99.99.99 addr=99.99.99.99 terminal=dovecot res=success'
type=USER_AUTH msg=audit(1404794553.944:100684): user pid=28375 uid=0 auid=0 ses=2700 subj=unconfined_u:system_r:dovecot_auth_t:s0 msg='op=PAM:authentication acct="starrychloe" exe="/usr/libexec/dovecot/auth" hostname=99.99.99.99 addr=99.99.99.99 terminal=dovecot res=success'
type=USER_ACCT msg=audit(1404794553.954:100685): user pid=28375 uid=0 auid=0 ses=2700 subj=unconfined_u:system_r:dovecot_auth_t:s0 msg='op=PAM:accounting acct="starrychloe" exe="/usr/libexec/dovecot/auth" hostname=99.99.99.99 addr=99.99.99.99 terminal=dovecot res=success'

Eu tentei

# sealert -a /tmp/dovecot5.log
100% donefound 1 alerts in /tmp/dovecot5.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/dovecot/imap from read access on the directory starrychloe.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that imap should be allowed read access on the starrychloe directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep imap /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Então

# cat /tmp/dovecot5.log | audit2allow -M dovecot
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i dovecot.pp

Que gerou

# cat dovecot.te

module dovecot 1.0;

require {
        type dovecot_t;
        type home_root_t;
        class dir read;
}

#============= dovecot_t ==============
allow dovecot_t home_root_t:dir read;

No entanto, recebi este erro

# semodule -i dovecot.pp
libsepol.print_missing_requirements: dovecot's global requirements were not met: type/attribute dovecot_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

Estas são as permissões no diretório

# ls -dZ /home/starrychloe
drwxr-xr-x. starrychloe starrychloe unconfined_u:object_r:home_root_t:s0 /home/starrychloe

Estou usando o CentOS 6.5.

    
por Chloe 08.07.2014 / 07:12

1 resposta

1

O contexto de segurança do seu diretório pessoal está errado. Não sei por que o setroubleshoot não detectou isso, mas a correção é corrigir o contexto de segurança.

restorecon /home/starrychloe
    
por 08.07.2014 / 07:17