Disabling SELinux dontaudit rules generates selinux warnings about Postfix processes
Issue
- After disabling
dontaudit
rules many Postfix related warning messages appears insyslog
type=AVC msg=audit(1457689166.592:1982): avc: denied { rlimitinh } for pid=12589 comm="showq" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_showq_t:s0 tclass=process
type=AVC msg=audit(1457689166.592:1982): avc: denied { siginh } for pid=12589 comm="showq" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_showq_t:s0 tclass=process
type=AVC msg=audit(1457689166.592:1982): avc: denied { noatsecure } for pid=12589 comm="showq" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_showq_t:s0 tclass=process
type=SYSCALL msg=audit(1457689166.592:1982): arch=c000003e syscall=59 success=yes exit=0 a0=7fc67c59e6b0 a1=7fc67c59e910 a2=7fc67c597a40 a3=ffffffff items=0 ppid=5512 pid=12589 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="showq" exe="/usr/libexec/postfix/showq" subj=system_u:system_r:postfix_showq_t:s0 key=(null)
type=AVC msg=audit(1457689166.608:1983): avc: denied { read write } for pid=12589 comm="showq" name="unix.showq" dev="dm-0" ino=102022955 scontext=system_u:system_r:postfix_showq_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1457689166.608:1983): arch=c000003e syscall=2 success=no exit=-13 a0=7fbef2a849d0 a1=2 a2=0 a3=2 items=0 ppid=5512 pid=12589 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="showq" exe="/usr/libexec/postfix/showq" subj=system_u:system_r:postfix_showq_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1457689188.428:1984): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Environment
- RedHat Enterprise Linux
- Postfix as MTA (default on RHEL 6 and 7)
- SELinux enabled,
dontaudit
temporarily disabled (semodule -D
)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.