Re: dovecot_auth_t wants capability audit_write and netlink_audit_socket create

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2007-06-05 at 15:51 -0700, John Lindgren wrote:
> Just to close this thread out:
> 
> I upgraded to:
> # rpm -qa|grep selinux-policy
> selinux-policy-targeted-2.6.4-13.fc7
> selinux-policy-2.6.4-13.fc7
> selinux-policy-devel-2.6.4-13.fc7
> 
> removed the the local.pp I made earlier:
> # semodule -r local
> 
> forced a reload of the policy:
> # semodule -R
> 
> rotated the audit log:
> # logrotate -f /etc/logrotate.d/audit
> 
> Then I went and exercised the mail system, sendmail, mailman, 
> MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I 
> remember when it was simpler.
> 
> took a look at the fresh audit.log
> # audit2allow -a
> 
> And there were all the usual suspects:
> #============= clamscan_t ==============
> allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name };
> allow clamscan_t clamd_var_lib_t:file { write create unlink };
> allow clamscan_t initrc_tmp_t:dir { search setattr read create write 
> getattr rmd
> ir remove_name add_name };
> allow clamscan_t initrc_tmp_t:file { write getattr read lock create 
> unlink };
> allow clamscan_t tmpfs_t:dir { read search getattr };
> allow clamscan_t tmpfs_t:file { read getattr };
> allow clamscan_t var_spool_t:file { read write };
> 
> #============= httpd_t ==============
> allow httpd_t pop_port_t:tcp_socket name_connect;
> 
> #============= procmail_t ==============
> allow procmail_t var_spool_t:file read;
> 
> #============= system_mail_t ==============
> allow system_mail_t httpd_t:file read;
> 
> But notice, NO DOVECOT!
> 
> 
> made a module:
> # cat /var/log/audit/audit.log | audit2allow -M localMAIL
> 
> installed it:
> # semodule -i localMAIL.pp
> 
> put selinux back into enforce:
> # setenforce 1
> 
> and re-rotated the log:
> # logrotate -f /etc/logrotate.d/audit
> 
> Then sat back and waited for the phone to ring... {quiet}
> 
> Confirmed with:
> # audit2allow -a
> 
> And got nothing. Everything working great now.
> 
> New policy package fixed dovecot problem, Thanks Again.

I've still got a problem with dovecot-auth (selinux-policy-2.6.4-14.fc7)

I needed to add the following:

# Allow dovecot to check passwords
allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans };

before dovecot-auth could run /sbin/unix-update and authenticate IMAP
clients.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux