seaudit report detail

Posted by user1014130 on Server Fault See other posts from Server Fault or by user1014130
Published on 2012-06-21T14:42:34Z Indexed on 2012/06/21 15:17 UTC
Read the original article Hit count: 242

Filed under:

I've just started using selinux in the last 6 months and am getting to grips with it. However, using sealert on a new CENTOS 6 server, Im not getting the level of detail I was with CENTOS 5. To illustrate:

Running sealert -a /var/log/audit/audit.log

On CENTOS 5 I get:

Summary:

SELinux is preventing postdrop (postfix_postdrop_t) "getattr" to /var/log/httpd/error_log (httpd_log_t).

Detailed Description:

SELinux denied access requested by postdrop. It is not expected that this access is required by postdrop and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/log/httpd/error_log,

restorecon -v '/var/log/httpd/error_log'

If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Additional Information:

Source Context root:system_r:postfix_postdrop_t Target Context system_u:object_r:httpd_log_t Target Objects
/var/log/httpd/error_log [ file ] Source
postdrop Source Path /usr/sbin/postdrop Port
Host Source RPM Packages postfix-2.3.3-2.1.el5_2 Target RPM Packages Policy RPM
selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type targeted MLS Enabled
True Enforcing Mode Enforcing Plugin Name
catchall_file Host Name
server109-228-26-144.live-servers.net Platform
Linux server109-228-26-144.live-servers.net 2.6.18-194.8.1.el5 #1 SMP Thu Jul 1 19:04:48 EDT 2010 x86_64 x86_64 Alert Count 1 First Seen Wed Jun 13 11:43:55 2012 Last Seen
Wed Jun 13 11:43:55 2012

but on CENTOS 6 I just get:

Summary:

SELinux is preventing postdrop (postfix_postdrop_t) "getattr" to /var/log/httpd/error_log (httpd_log_t).

Detailed Description:

SELinux denied access requested by postdrop. It is not expected that this access is required by postdrop and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/log/httpd/error_log,

restorecon -v '/var/log/httpd/error_log'

If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Im running exactly the same command. Does anyone have any idea why Im not getting the "Additional information" that I do with CENTOS 5?

Thanks in advance Dylan

© Server Fault or respective owner

Related posts about centos5