Re: dovecot_auth_t wants capability audit_write and netlink_audit_socket create

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Matthew,
Do you have this as well?
fixfiles check;
matchpathcon_filespec_add: conflicting specifications for /var/lib/dovecot/ssl-parameters.dat and /var/run/dovecot/login/ssl-parameters.dat, using system_u:object_r:dovecot_var_run_t:s0. 

Don't know if there is a connection yet... not expert.

John

Matthew Gillen wrote:

John Lindgren wrote:


Hi,
New to this list, not totally new to selinux.

Running F7 with everything current (06/04/2007), policy is
selinux-policy-targeted-2.6.4-8.fc7.

cat /var/log/audit/audit.log:
type=AVC msg=audit(1181003986.020:18662): avc:  denied  { audit_write }
for  pid=13774 comm="dovecot-auth" capability=29
scontext=root:system_r:dovecot_auth_t:s0
tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability

type=AVC msg=audit(1181003859.499:18627): avc:  denied  { create } for
pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0
tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket


cat /var/log/audit/audit.log | audit2allow -M local:


cat local.te:
module local 1.0;

require {
       type dovecot_auth_t;
       class capability audit_write;
       class netlink_audit_socket { write nlmsg_relay create read };
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t self:capability audit_write;
allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay
create read };


semodule -i local.pp:
libsepol.check_assertion_helper: assertion on line 0 violated by allow
dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
dovecot_auth_t dovecot_auth_t:capability { audit_write };
libsepol.check_assertions: 2 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!

Should I add something magical (what, I'm not sure) to the .te to allow
this anyway? Or is there something missing from the distribution
targeted policy? Or edit the base policy and recompile the whole thing?
Or...

Anyone else having this problem?



Yep, I am.  Got tired of tinkering last night and just put it in permissive
mode for the time being.

I'm getting slightly different .te file, but ultimately the same 2 assertion
violations.

Matt



--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux