Re: dovecot_auth_t wants capability audit_write and netlink_audit_socket create

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



John Lindgren wrote:
> Hi,
> New to this list, not totally new to selinux.
> 
> Running F7 with everything current (06/04/2007), policy is
> selinux-policy-targeted-2.6.4-8.fc7.
> 
> cat /var/log/audit/audit.log:
> type=AVC msg=audit(1181003986.020:18662): avc:  denied  { audit_write }
> for  pid=13774 comm="dovecot-auth" capability=29
> scontext=root:system_r:dovecot_auth_t:s0
> tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
> 
> type=AVC msg=audit(1181003859.499:18627): avc:  denied  { create } for
> pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0
> tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
> 
> 
> cat /var/log/audit/audit.log | audit2allow -M local:
> 
> 
> cat local.te:
> module local 1.0;
> 
> require {
>         type dovecot_auth_t;
>         class capability audit_write;
>         class netlink_audit_socket { write nlmsg_relay create read };
> }
> 
> #============= dovecot_auth_t ==============
> allow dovecot_auth_t self:capability audit_write;
> allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay
> create read };
> 
> 
> semodule -i local.pp:
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> dovecot_auth_t dovecot_auth_t:capability { audit_write };
> libsepol.check_assertions: 2 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
> 
> Should I add something magical (what, I'm not sure) to the .te to allow
> this anyway? Or is there something missing from the distribution
> targeted policy? Or edit the base policy and recompile the whole thing?
> Or...
> 
> Anyone else having this problem?

Yep, I am.  Got tired of tinkering last night and just put it in permissive
mode for the time being.

I'm getting slightly different .te file, but ultimately the same 2 assertion
violations.

Matt

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux