Sealert didn't know "capability2" class which caused capability2 denials (e.g. block_suspend) to be reported as "access" denials. fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1360392 type=AVC msg=audit(1468324670.938:596175): avc: denied { block_suspend } for pid=8442 comm="smtp" capability=36 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=capability2 SELinux is preventing smtp from block_suspend access on the capability2 Unknown. Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx> --- framework/src/setroubleshoot/signature.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/framework/src/setroubleshoot/signature.py b/framework/src/setroubleshoot/signature.py index 77ecc35..1f60c74 100755 --- a/framework/src/setroubleshoot/signature.py +++ b/framework/src/setroubleshoot/signature.py @@ -212,6 +212,7 @@ class_dict['process'] = _("process") class_dict['filesystem'] = _("filesystem") class_dict['node'] = _("node") class_dict['capability'] = _("capability") +class_dict['capability2'] = _("capability2") def translate_class(tclass): if tclass in list(class_dict.keys()): @@ -447,7 +448,7 @@ class SEFaultSignatureInfo(XmlSerialize): if self.tclass == "process": return P_(_("SELinux is preventing %s from using the %s access on a process."), _("SELinux is preventing %s from using the '%s' accesses on a process."), len(self.sig.access)) % (self.spath, ", ".join(self.sig.access)) - if self.tclass == "capability": + if self.tclass in ["capability", "capability2"]: return P_(_("SELinux is preventing %s from using the %s capability."), _("SELinux is preventing %s from using the '%s' capabilities."), len(self.sig.access)) % (self.spath, ", ".join(self.sig.access)) if self.tpath == "(null)": return P_(_("SELinux is preventing %s from %s access on the %s labeled %s."), _("SELinux is preventing %s from '%s' accesses on the %s labeled %s."), len(self.sig.access)) % (self.spath, ", ".join(self.sig.access), translate_class(self.tclass), self.tcontext.type) -- 2.5.5 _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
