Re: dovecot_auth_t wants capability audit_write and netlink_audit_socket create

Stephen Smalley <sds@xxxxxxxxxxxxx> · Tue, 05 Jun 2007 08:38:36 -0400

On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote:
> Hi,
> New to this list, not totally new to selinux.
> 
> Running F7 with everything current (06/04/2007), policy is 
> selinux-policy-targeted-2.6.4-8.fc7.
> 
> cat /var/log/audit/audit.log:
> type=AVC msg=audit(1181003986.020:18662): avc:  denied  { audit_write } 
> for  pid=13774 comm="dovecot-auth" capability=29 
> scontext=root:system_r:dovecot_auth_t:s0 
> tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
> 
> type=AVC msg=audit(1181003859.499:18627): avc:  denied  { create } for 
> pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 
> tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
> 
> 
> cat /var/log/audit/audit.log | audit2allow -M local:
> 
> 
> cat local.te:
> module local 1.0;
> 
> require {
>          type dovecot_auth_t;
>          class capability audit_write;
>          class netlink_audit_socket { write nlmsg_relay create read };
> }
> 
> #============= dovecot_auth_t ==============
> allow dovecot_auth_t self:capability audit_write;
> allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay 
> create read };
> 
> 
> semodule -i local.pp:
> libsepol.check_assertion_helper: assertion on line 0 violated by allow 
> dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow 
> dovecot_auth_t dovecot_auth_t:capability { audit_write };
> libsepol.check_assertions: 2 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
> 
> Should I add something magical (what, I'm not sure) to the .te to allow 
> this anyway? Or is there something missing from the distribution 
> targeted policy? Or edit the base policy and recompile the whole thing? 
> Or...
> 
> Anyone else having this problem?

The policy contains certain assertions (neverallow rules) to prevent
accidental adding of allow rules that are highly security sensitive or
that indicate a mistake in labeling.

To override such assertions, you have to add an appropriate type
attribute to the type to enable it to pass the neverallow rule.  This is
usually done by using the right refpolicy interface.  In this case, that
appears to be:
	logging_send_audit_msg(dovecot_auth_t)

So replace those two allow rules with the above interface call.

Karl, any reason audit2allow didn't find that interface automatically?

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list