As is my usual state with things SELinux I am a bit confused about a
problem I was trying to troubleshoot involving opendkim.
Essentially I was getting this:
node=host.example.com type=AVC msg=audit(1374091410.640:248952): avc:
denied { name_bind } for pid=4528 comm="opendkim" src=8891
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Ok simple enough I think, so I start to search the rules:
sesearch -s dkim_milter_t -t port_t --allow
Found 4 semantic av rules:
allow dkim_milter_t port_t : tcp_socket { name_bind name_connect } ;
allow dkim_milter_t port_t : udp_socket name_bind ;
allow dkim_milter_t port_type : tcp_socket { recv_msg send_msg } ;
allow dkim_milter_t port_type : udp_socket { recv_msg send_msg } ;
Umm, ok doesn't that pretty much list it as allowed there?
Anyway I pump the denial through audit2allow just for kicks:
#============= dkim_milter_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow dkim_milter_t port_t:tcp_socket name_bind;
Again still a little confused by why this rule is necessary when I can
find it in the policy. But I get even more confused why setting
allow_ypbind to 1 fixes the issue.
What am I missing here?
If you could please CC me I only get the digests.
-Erinn
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
