On 04/26/2017 12:29 AM, Robert Moskowitz wrote:
But the policy generates errors. I will have to submit a bug report,
it seems
A bug report would probably be helpful.
I'm looking back at the message you wrote describing errors in
ld-2.17.so. I think what's happening is that the policy on your system
includes a silent rule that somehow breaks your system. You'll need to
turn on debugging (logging the otherwise silent AVCs) to figure this
out, in order to provide information that the maintainers can use to
actually fix the problem.
So, similar to the previous process:
1: semodule -DB
2: setenforce permissive
3: tail -f /var/log/audit/audit.log | grep AVC
4: use the service, exercise each function that's constrained by the
existing policy
5: copy and paste the output from the terminal used for #2 into
"audit2allow -M <modulename>"
6: setenforce enforcing
7: semodule -B
You'll want to do this with your custom policy installed. In the
terminal that's following audit.log, you should now see AVCs logged that
you didn't before. Please send them to the list.
If you're only interested in resolving your problem, it should be
sufficient to build one new module with the AVCs logged here. If you
want to produce a useful bug report and fix the problem for the future,
for everyone, you need to first get back into enforcing mode and THEN
build a new module with each individual AVC, installing each one and
then testing dovecot, until you resolve the problem, and then removing
all of the other new modules until you confirm that you've found one (or
a minimal combination) of rules that is causing dovecot to crash and log
a backtrace.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos