COMMANDS TO FIND AND FIX MISCONFIGURATIONS IN SELinux ON A SERVER
Assumptions:
Installed rpms:
yum install setroubleshoot-server
yum install policycoreutils-python
Verify problem:
On different server ran : telnet mail6.its.uconn.edu 25
[root@mail4 bin]# telnet mail6.its.uconn.edu 25 Trying 137.99.51.69... Connected to mail6.its.uconn.edu. Escape character is '^]'.
connection happens but is not correct
Example of correct connection: telnet mail5.its.uconn.edu 25
[root@mail4 bin]# telnet mail5.its.uconn.edu 25 Trying 137.99.51.68... Connected to mail5.its.uconn.edu. Escape character is '^]'. 220 mail5.its.uconn.edu ESMTP Postfix quit 221 2.0.0 Bye Connection closed by foreign host.
SECTION A
1. Pull data from log files to identify what SELinux is preventing, by running the command:
ausearch -m AVC,USER_AVC -ts recent
Typical OUTPUT:
time->Wed Dec 4 12:25:43 2019
type=PROCTITLE msg=audit(1575480343.280:173999): proctitle=736D747064002D6E00736D7470002D7400696E6574002D75002D6F007374726573733D002D730032
type=SYSCALL msg=audit(1575480343.280:173999): arch=c000003e syscall=2 success=no exit=-13 a0=55d60928ab10 a1=2 a2=0 a3=3 items=0 ppid=25277 pid=12626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1575480343.280:173999): avc: denied { read write } for pid=12626 comm="smtpd" name="inet.smtp" dev="dm-2" ino=8394101 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
SECTION B
1. Pull data based on timestamp in “ausearch” command output, by running the command:
journalctl -t setroubleshoot --since=12:25
Dec 04 12:25:47 mail6.its.uconn.edu setroubleshoot[12631]: SELinux is preventing smtpd from 'read, write' accesses on the file inet.smtp. For complete SELinux messages run: sealert -l 8c893ceb-e3d3-425f-9be7-0229645517ef
SECTION C
1. Pull data based on output of “journalctl” command output, by running the command:
sealert -l 8c893ceb-e3d3-425f-9be7-0229645517ef
Typical OUTPUT:
SELinux is preventing smtpd from 'read, write' accesses on the file inet.smtp.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that smtpd should be allowed read write access on the inet.smtp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd
# semodule -i my-smtpd.pp
Additional Information:
Source Context system_u:system_r:postfix_smtpd_t:s0
Target Context unconfined_u:object_r:var_run_t:s0
Target Objects inet.smtp [ file ]
Source smtpd
Source Path smtpd
Port <Unknown>
Host mail6.its.uconn.edu
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-252.el7.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name mail6.its.uconn.edu
Platform Linux mail6.its.uconn.edu
3.10.0-1062.4.1.el7.x86_64 #1 SMP Wed Sep 25
09:42:57 EDT 2019 x86_64 x86_64
Alert Count 7
First Seen 2019-12-04 12:23:40 EST
Last Seen 2019-12-04 12:29:47 EST
Local ID 8c893ceb-e3d3-425f-9be7-0229645517ef
Raw Audit Messages
type=AVC msg=audit(1575480587.475:174010): avc: denied { read write } for pid=12955 comm="smtpd" name="inet.smtp" dev="dm-2" ino=8394101 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
Hash: smtpd,postfix_smtpd_t,var_run_t,file,read,write
NOTICE: The solution to the problem has been highlighted in “green” in the above output.