First identify from /var/log/audit/audit.log lines, which are related to your case, for example:
type=AVC msg=audit(1415573843.208:2609): avc: denied { getattr } for pid=12969 comm="sendmail" path="/run/smfs/smf-grey.sock" dev="tmpfs" ino=65392 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1415575051.524:3068): avc: denied { write } for pid=13609 comm="sendmail" name="smf-grey.sock" dev="tmpfs" ino=65392 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1415575527.915:3082): avc: denied { connectto } for pid=13759 comm="sendmail" path="/run/smfs/smf-grey.sock" scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
Install packages policycoreutils, policycoreutils-python, checkpolicy and setroubleshoot. Now execute:
cat file_with_needed_audit_lines |audit2allow -m greylist > greylist.te checkmodule -M -m -o greylist.mod greylist.te semodule_package -m greylist.mod -o greylist.pp semodule -i greylist.pp
Oh, and if you need to enable other ports to some services, use semanage, example:
semanage port -l | grep smtp semanage port -a -t smtp_port_t -p tcp 2525
No comments:
Post a Comment