Re: dovecot_auth_t wants capability audit_write and netlink_audit_socket create

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Just to close this thread out:

I upgraded to:
# rpm -qa|grep selinux-policy
selinux-policy-targeted-2.6.4-13.fc7
selinux-policy-2.6.4-13.fc7
selinux-policy-devel-2.6.4-13.fc7

removed the the local.pp I made earlier:
# semodule -r local

forced a reload of the policy:
# semodule -R

rotated the audit log:
# logrotate -f /etc/logrotate.d/audit

Then I went and exercised the mail system, sendmail, mailman, MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I remember when it was simpler.

took a look at the fresh audit.log
# audit2allow -a

And there were all the usual suspects:
#============= clamscan_t ==============
allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name };
allow clamscan_t clamd_var_lib_t:file { write create unlink };
allow clamscan_t initrc_tmp_t:dir { search setattr read create write getattr rmd
ir remove_name add_name };
allow clamscan_t initrc_tmp_t:file { write getattr read lock create unlink };
allow clamscan_t tmpfs_t:dir { read search getattr };
allow clamscan_t tmpfs_t:file { read getattr };
allow clamscan_t var_spool_t:file { read write };

#============= httpd_t ==============
allow httpd_t pop_port_t:tcp_socket name_connect;

#============= procmail_t ==============
allow procmail_t var_spool_t:file read;

#============= system_mail_t ==============
allow system_mail_t httpd_t:file read;

But notice, NO DOVECOT!


made a module:
# cat /var/log/audit/audit.log | audit2allow -M localMAIL

installed it:
# semodule -i localMAIL.pp

put selinux back into enforce:
# setenforce 1

and re-rotated the log:
# logrotate -f /etc/logrotate.d/audit

Then sat back and waited for the phone to ring... {quiet}

Confirmed with:
# audit2allow -a

And got nothing. Everything working great now.

New policy package fixed dovecot problem, Thanks Again.

John

John Lindgren wrote:
Thank You for your help!

John

Daniel J Walsh wrote:

John Lindgren wrote:

I defined the other permissions in local.te so that it would compile and then installed local.pp. Switching to setenforce 1 dovecot logins with pam now WORK!... as far as I can tell. ;)

Will upgrade to the new policy later tonight.

Should I then remove the local.pp I just compiled and see what messages I get?

John


yes


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux