Page 1 of 1

MAxmind GeoLite2-Country.mmdb Selinux avc: denied mscan_t

Posted: 29 Feb 2020 11:55
by henk
Running the latest updates.
Every time mail is processed, the next message shows up in /var/log/audit/audit.log

Code: Select all

type=AVC msg=audit(1582944114.367:529105): avc:  denied  { getattr } for  pid=8630 comm=4D61696C5363616E6E65723A207374 path="/var/www/html/mailscanner/temp/GeoLite2-Country.mmdb" dev="dm-2" ino=50464433 scontext=system_u:system_r:mscan_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1582944114.367:

Code: Select all

ls -lZ /var/www/html/mailscanner/temp/GeoLite2-Country.mmdb
-rw-r--r--. php-fpm php-fpm system_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html/mailscanner/temp/GeoLite2-Country.mmdb

Code: Select all

ausearch -m 'AVC' --raw | audit2allow -M my-geo
The my-geo.pp

Code: Select all

module my-geo 1.0;

require {
        type mscan_t;
        type chkpwd_t;
        type systemd_timedated_t;
        type httpd_sys_rw_content_t;
        type httpd_sys_content_t;
        type httpd_sys_script_t;
        type postfix_local_t;
        class dir { getattr search };
        class file { getattr read };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t chkpwd_t:file read;
allow httpd_sys_script_t postfix_local_t:dir getattr;
allow httpd_sys_script_t systemd_timedated_t:dir search;

#============= mscan_t ==============
allow mscan_t httpd_sys_content_t:file getattr;

#!!!! The file '/var/www/html/mailscanner/temp/GeoLite2-Country.mmdb' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/www/html/mailscanner/temp/GeoLite2-Country.mmdb
allow mscan_t httpd_sys_rw_content_t:file getattr;
Possible solutions??? --I didn't want to set

Code: Select all

semanage permissive -a mscan_t

Re: MAxmind GeoLite2-Country.mmdb Selinux avc: denied mscan_t

Posted: 29 Feb 2020 12:34
by shawniverson
I'll add a rule to the eFa selinux policy.

Re: MAxmind GeoLite2-Country.mmdb Selinux avc: denied mscan_t

Posted: 29 Feb 2020 16:02
by shawniverson
On second thought, no, the file is indeed mislabeled

Code: Select all

#!!!! The file '/var/www/html/mailscanner/temp/GeoLite2-Country.mmdb' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/www/html/mailscanner/temp/GeoLite2-Country.mmdb
Correct permissions and label...

Code: Select all

-rw-r--r--. php-fpm php-fpm system_u:object_r:httpd_sys_content_t:s0 GeoLite2-Country.mmdb