In Gwalior, I’d installed an eGroupware instance on a Fedora Core 6 box. In the Felamimail module of eGroupware, and I got this error Can't connect to mail.server,143: Permission denied
. I checked IMAP server, and found it was running. Then I checked my iptables rules, those were also fine. So, after this I checked my /var/log/audit/audit.log
and found following AVC denial
message:
type=AVC msg=audit(1172212945.073:194): avc: denied { name_connect } for pid=3772 comm="httpd" dest=143 scontext=system_u:system_r:httpd_t:s0 context=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
On passing this message through audit2allow
tool, I got following allow
rule:
allow httpd_t pop_port_t:tcp_socket name_connect;
So, now to add this rule to the SELinux policy, I downloaded the selinux-policy
SRPM, and installed in ~/rpmbuild
. Then I modified the ~/rpmbuild/BUILD/serefpolicy-*/policy/modules/services/apache.te
to contain my allow rules, and since I added a boolean, I need to add an entry in ~/rpmbuild/BUILD/serefpolicy-*/policy/global_tunables
also. So, after changing, I generated a diff
of my changes and placed it in ~/rpmbuild/SOURCES
. And I since I need to modify the sources at the time of building new RPM, I need to modify my .spec
file also, to apply the diff
I placed it in SOURCES
at the time of preparing sources. So following is the diff which needs to be applied on ~/rpmbuild/SPECS/selinux-policy.spec
to generate a new .spec
.
--- selinux-policy.spec.old 2007-02-16 22:48:14.000000000 +0530 +++ selinux-policy.spec 2007-02-22 22:53:56.000000000 +0530 @@ -17,11 +17,12 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.4.6 -Release: 40%{?dist} +Release: 41%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz -patch: policy-20061106.patch +patch0: policy-20061106.patch +patch1: policy-20070222.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -166,7 +167,8 @@ %prep %setup -q -n serefpolicy-%{version} -%patch -p1 +%patch0 -p1 +%patch1 -p1 %install # Build targeted policy
The file policy-20070222.patch (md5sum: b43fd29ca9d290fdfcb7d045363195d7
) needs to be placed in ~/rpmbuild/SOURCES
. I’ve used selinux-policy-2.4.6-40.fc6.src.rpm
as the reference policy. Anyways, happy SELinux
ing :)