On 04/04/2018 01:55 PM, leam hall wrote: > On Wed, Apr 4, 2018 at 6:19 AM, Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote: >> On 04/02/2018 07:20 PM, leam hall wrote: >>> On Fri, Mar 30, 2018 at 5:18 PM, Simon Sekidde <ssekidde@xxxxxxxxxx> wrote: >>>> Leam, >>> >>>> This rule should already exist in the current policy to suppress the alerts >>>> >>>> dontaudit postfix_domain kernel_t : system module_request ; >>> >>> >>> Didn't see it. Stock and patched RHEL 6. >>> >> >> This could be kernel bug. We had a discussion about it: >> https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c51935785e7a43b798a9f35f5aa0#commitcomment-27837961 >> >> >> But if you're running RHEL6, the bug shouldn't be there. >> If you're still see these AVCs please dontaudit it like it's mentioned >> in email from Simon. >> >> Lukas. > > Not sure we want to hide the denial. Doesn't that mean SELinux is > preventing Postfix from doing something it thinks it should do? > Wouldn't allowing it be better, assuming Postfix is supposed to do > whatever? > This SELinux denial is caused by bug in kernel, most probably postfix doesn't really need request kernel for add new module. You have 2 options here: First one, dontaudit it, which means that it won't be allowed and you want be spammed about this in audit log. Second one, I don't dontaudit it and wait while it will be (hopefully) fixed in kernel. Lukas. > Or do I not understand? > > Leam > -- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
