On 12/02/2009 03:22 PM, Roland Roberts wrote:
> On 11/29/2009 08:44 PM, Roland Roberts wrote:
>> On 11/29/2009 05:11 AM, Sandro Janke wrote:
>>> Actually, you don't need to have any of the setroubleshoot packages
>>> installed to get AVC messages logged. What you need is auditd running
>>> and it will log AVC messages to /var/log/audit/audit.log
>>>
>>> With setroubleshoot-server installed you can watch the logged
>>> messages using:
>>>
>>> # sealert -a /var/log/audit/audit.log
>>>
>>> The output will be long and in the style of setroubleshoot browser,
>>> so take your measures.
>>>
>>> Another tool - from the audit package - that can prove very useful is
>>> ausearch. It will search the audit logs for messages matching the
>>> given criteria.
>>
>> But I'm not getting any messages there. And changing enforcing mode
>> fixes the problem, so it seems like it has to be SELinux, but with no
>> log, I can't figure out what rule needs to be changed.
>>
>>
>
> At the suggestion of Daniel Walsh, I ran
>
> semodule -DB
>
> then restarted dovecot and got my messages. I've used those to create
> policy, but can't load it.
>
> I've configured dovecot to use a local socket connection to postgres.
> Here is what I for SELinux:
>
> grep 'Dec 2.*dovecot-auth' /var/log/messages| audit2allow -m local >
> local.te
> 328 root> cat local.te
>
> module local 1.0;
>
> require {
> type dovecot_auth_t;
> type unlabeled_t;
> type postgresql_tmp_t;
> class sock_file write;
> class unix_stream_socket read;
> }
>
> #============= dovecot_auth_t ==============
> allow dovecot_auth_t postgresql_tmp_t:sock_file write;
>
> #============= unlabeled_t ==============
> allow unlabeled_t self:unix_stream_socket read;
> 329 root> make -f /usr/share/selinux/devel/Makefile local.pp
> Compiling targeted local module
> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> /usr/bin/checkmodule: policy configuration loaded
> /usr/bin/checkmodule: writing binary representation (version 10) to
> tmp/local.mod
> Creating targeted local.pp policy package
> rm tmp/local.mod.fc tmp/local.mod
> 330 root> semodule -i local.pp
> libsepol.print_missing_requirements: local's global requirements were
> not met: type/attribute dovecot_auth_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule: Failed!
>
> I'm at a loss on what to do here. Suggestions on why it would tell me
> this?
>
> roland
>
Did you replace the dovecot.pp when you first tried this?
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
