fedora-selinux December 2011 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: selinux denial not appearing in logs

Re: selinux denial not appearing in logs

From: Paul Howarth <paul_at_nospam>
Date: Thu Dec 29 2011 - 00:15:46 GMT
To: selinux@lists.fedoraproject.org

On Wed, 28 Dec 2011 18:04:30 -0500
Edward Ned Harvey <selinuxadmin@clevertrove.com> wrote:

> How can this happen? It's getting denied, but not appearing in
> either the audit log or the messages file. Running Centos 6 fully
> updated, php (drupal) inside of httpd tries to send mail via postfix
> (postdrop).
>
>
>
> When I have setenforce 0, the mail goes through. No errors in any
> logs (audit.log, error_log, messages)
>
> When I have setenforce 1, the mail gets blocked. I get this message
> in httpd error_log:
>
> sendmail: fatal: execvp /usr/sbin/postdrop: Permission
> denied
>
> sendmail: warning: command "/usr/sbin/postdrop -r" exited with status
> 1
>
> sendmail: fatal: email@example.com(48): unable to
> execute /usr/sbin/postdrop -r: Success
>
>
>
> I have auditd running. In fact, I regularly use audit2allow to
> create allow policies on this machine. So I can confidently say
> normally my selinux denials get logged in the audit.log. I am at a
> loss to think of any reason this particular failure is not getting
> logged the same way my other error messages usually get logged.
>
>
>
> I believe I can write a custom allow script by hand, but I believe I
> probably shouldn't, or if I try, it will fail for some reason.
>
>
>
> Thanks for your help...

The denials you're getting are probably being dontaudit-ed. See:

http://danwalsh.livejournal.com/11673.html

Paul.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux