|
On 07/01/14 22:43, David wrote:
Sorry, I know this isn't fedora (CentOS 5 actually) but I believe this may be a more generic situation. I recently was trying to troubleshoot an issue where a process spawned off under the dovecot_t process type and needed to create files under /tmp (tmp_t). This wasn't obvious as there where no denial messages in audit for tmp_t. Even using "semodule -DB" didn't show denial messages. All I knew was the process was trying to read/write files and was getting access denied. I just didn't know where or why. Eventually an strace on the process tree showed the access attempt to /tmp. Since I knew policy would be required to create tmp types I went ahead and added tmp file transitions and appropriate supporting permissions around the new dovecot_tmp_t type. This fixed the problem. What is surprising to me is that there were no denial messages related to tmp_t or dovecot_t. Nothing, regardless of permissive vs enforcing, or semodule -DB set. Any clue as to why this wouldn't trigger a log message? This is a strict, not targeted policy, yes I know very old school. Thanks, David -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux After you've removed all dontaudits, does seinfo shows any Dontaudit? |
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
