A bit of confusion over dkim_milter_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



As is my usual state with things SELinux I am a bit confused about a
problem I was trying to troubleshoot involving opendkim.

Essentially I was getting this:
node=host.example.com type=AVC msg=audit(1374091410.640:248952): avc:
denied  { name_bind } for  pid=4528 comm="opendkim" src=8891
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

Ok simple enough I think, so I start to search the rules:
sesearch -s dkim_milter_t -t port_t --allow
Found 4 semantic av rules:
   allow dkim_milter_t port_t : tcp_socket { name_bind name_connect } ;
   allow dkim_milter_t port_t : udp_socket name_bind ;
   allow dkim_milter_t port_type : tcp_socket { recv_msg send_msg } ;
   allow dkim_milter_t port_type : udp_socket { recv_msg send_msg } ;

Umm, ok doesn't that pretty much list it as allowed there?

Anyway I pump the denial through audit2allow just for kicks:

#============= dkim_milter_t ==============

#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow dkim_milter_t port_t:tcp_socket name_bind;

Again still a little confused by why this rule is necessary when I can
find it in the policy. But I get even more confused why setting
allow_ypbind to 1 fixes the issue.

What am I missing here?

If you could please CC me I only get the digests.

-Erinn

Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux