Jay Cliburn wrote:
On Fri, 2006-07-14 at 07:59 +0100, Paul Howarth wrote:
On Thu, 2006-07-13 at 19:44 -0500, Jay Cliburn wrote:
After installing postfix under FC6T1, I kept getting this avc:
audit(1152836951.218:8): avc: denied { getattr } for pid=3130
comm="sh" name="mailq.postfix.1.gz" dev=dm-0 ino=1084752
scontext=user_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:man_t:s0 tclass=file
It's a manpage and it looks to me like it came from the factory labeled
incorrectly. A chcon to system_u:object_r:man_t seems to have fixed it.
This has been seen before on FC5:
http://www.redhat.com/archives/fedora-selinux-list/2006-June/msg00021.html
It appears to happen when postfix is started. The AVC suggests that the
manpage already has the correct context, and the strange thing is that
the postfix master program is tying to access it (why should that be?).
So the "tcontext" in the AVC message indicates the current context of
the file called out in "name"?
Yes, the "scontext" or "source context" is that of the calling process,
and the "tcontext" or "target context" is that of the object being acted on.
That's my understanding of it.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
