On Sun, 2009-11-29 at 20:46 -0500, Roland Roberts wrote: > On 11/29/2009 05:18 AM, Justin P. Mattock wrote: > > In my case I normaly just do: > > audit2allow -d > to_the_allow_rules > > audit2allow -i /var/log/*(and the rest of > > the log messages havng any left over avc's > > to define into the policy); > > Guys, you're driving me crazy :-/ I can't *find* a log entry to fix. > There's nothing where it's supposed to be. So...if you agree that that > looks like a bug, I'll just go on and file a bug. Otherwise I'm really > stuck. I see that my F12 policy has a rule that allows dovecot_t to talk to postgresql_port_t. Not certain if it is controlled by a boolean which is toggled wrong on your system or if you are having some other problem, so lets start by seeing the actual avc denial. AVCs can end up either in /var/log/messages or /var/log/audit/audit.log (depending on the system setup.) Also in permissive move denials are only logged one time. So you won't see a denial every time it ~would~ have triggered. To flush the selinux cache I typically suggest you set the system enforcing and back permissive quickly. So lets do these steps. setenforce 1 setenforce 0 reproduce problem (or what would be a problem) grep -i avc /var/log/messages grep -i avc /var/log/audit/audit.log If both of those come up blank you likely are hitting a problem that is being 'dontaudit' I believe you said F11 (if not and it is old enough to not understand semodule -DB let me know as there are other ways to do this on older systems)? If so do these steps semodule -DB setenforce 1 setenforce 0 reproduce problem (or what would be a problem) grep -i avc /var/log/messages /var/log/audit/audit.log semodule -B Let us know the output this time. Hopefully we can get to the bottom of this. -Eric -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
