Re: dovecot_auth_t wants capability audit_write and netlink_audit_socket create

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2007-06-04 (月) の 21:25 -0400 に Matthew Gillen さんは書きました:
> John Lindgren wrote:
> > Hi,
> > New to this list, not totally new to selinux.
> > 
> > Running F7 with everything current (06/04/2007), policy is
> > selinux-policy-targeted-2.6.4-8.fc7.
> > 
> > cat /var/log/audit/audit.log:
> > type=AVC msg=audit(1181003986.020:18662): avc:  denied  { audit_write }
> > for  pid=13774 comm="dovecot-auth" capability=29
> > scontext=root:system_r:dovecot_auth_t:s0
> > tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
> > 
> > type=AVC msg=audit(1181003859.499:18627): avc:  denied  { create } for
> > pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0
> > tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
> > 
> > 
> > cat /var/log/audit/audit.log | audit2allow -M local:
> > 
> > 
> > cat local.te:
> > module local 1.0;
> > 
> > require {
> >         type dovecot_auth_t;
> >         class capability audit_write;
> >         class netlink_audit_socket { write nlmsg_relay create read };
> > }
> > 
> > #============= dovecot_auth_t ==============
> > allow dovecot_auth_t self:capability audit_write;
> > allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay
> > create read };
> > 
> > 
> > semodule -i local.pp:
> > libsepol.check_assertion_helper: assertion on line 0 violated by allow
> > dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay };
> > libsepol.check_assertion_helper: assertion on line 0 violated by allow
> > dovecot_auth_t dovecot_auth_t:capability { audit_write };
> > libsepol.check_assertions: 2 assertion violations occured
> > libsemanage.semanage_expand_sandbox: Expand module failed
> > semodule: Failed!
> > 
> > Should I add something magical (what, I'm not sure) to the .te to allow
> > this anyway? Or is there something missing from the distribution
> > targeted policy? Or edit the base policy and recompile the whole thing?
> > Or...
> > 
> > Anyone else having this problem?
> 
> Yep, I am.  Got tired of tinkering last night and just put it in permissive
> mode for the time being.
> 
> I'm getting slightly different .te file, but ultimately the same 2 assertion
> violations.
> 
> Matt
> 
Same here ...

I yum installed every selinux related packages.
I made localaudit.pp typing
#audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te
at /usr/share/selinux/devel
#semodule -i localaudit.pp
violation reported by libsepol.chek_assertions

local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
local_login_t local_login_t:capability { audit_write };
local_login_t local_login_t:capability { audit_control };

So,I commented those lines on localaudit.te including require brace.
This time I succeeded installing localaudit.pp.

I restarted my machine setting Enforcing/strict.
During the startup process, I could see Keymap had failed.
I can't login from console.
I typed like a US key not jp106, still I can't.

> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux