Re: dovecot_auth_t wants capability audit_write and netlink_audit_socket create

[John Lindgren <nwaero@xxxxxxxxxxxxxxxxxx>]

Just to close this thread out:

I upgraded to:
# rpm -qa|grep selinux-policy
selinux-policy-targeted-2.6.4-13.fc7
selinux-policy-2.6.4-13.fc7
selinux-policy-devel-2.6.4-13.fc7

removed the the local.pp I made earlier:
# semodule -r local

forced a reload of the policy:
# semodule -R

rotated the audit log:
# logrotate -f /etc/logrotate.d/audit

Then I went and exercised the mail system, sendmail, mailman, 
MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I 
remember when it was simpler.

took a look at the fresh audit.log
# audit2allow -a

And there were all the usual suspects:
#============= clamscan_t ==============
allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name };
allow clamscan_t clamd_var_lib_t:file { write create unlink };
allow clamscan_t initrc_tmp_t:dir { search setattr read create write 
getattr rmd
ir remove_name add_name };
allow clamscan_t initrc_tmp_t:file { write getattr read lock create 
unlink };
allow clamscan_t tmpfs_t:dir { read search getattr };
allow clamscan_t tmpfs_t:file { read getattr };
allow clamscan_t var_spool_t:file { read write };

#============= httpd_t ==============
allow httpd_t pop_port_t:tcp_socket name_connect;

#============= procmail_t ==============
allow procmail_t var_spool_t:file read;

#============= system_mail_t ==============
allow system_mail_t httpd_t:file read;

But notice, NO DOVECOT!


made a module:
# cat /var/log/audit/audit.log | audit2allow -M localMAIL

installed it:
# semodule -i localMAIL.pp

put selinux back into enforce:
# setenforce 1

and re-rotated the log:
# logrotate -f /etc/logrotate.d/audit

Then sat back and waited for the phone to ring... {quiet}

Confirmed with:
# audit2allow -a

And got nothing. Everything working great now.

New policy package fixed dovecot problem, Thanks Again.

John

John Lindgren wrote:
> Thank You for your help!
>
> John
>
> Daniel J Walsh wrote:
>
> > John Lindgren wrote:
> >
> > > I defined the other permissions in local.te so that it would compile 
> > > and then installed local.pp. Switching to setenforce 1 dovecot logins 
> > > with pam now WORK!... as far as I can tell. ;)
> > >
> > > Will upgrade to the new policy later tonight.
> > >
> > > Should I then remove the local.pp I just compiled and see what 
> > > messages I get?
> > >
> > > John
> >
> >
> > yes
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list