Re: [PATCH] setroubleshoot: Fix sealert message for capability2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please disregard this patch. I accidentally sent it to the wrong address.

----- Original Message -----
From: "Vit Mojzis" <vmojzis@xxxxxxxxxx>
To: selinux@xxxxxxxxxxxxx
Cc: plautrba@xxxxxxxxxx, "Vit Mojzis" <vmojzis@xxxxxxxxxx>
Sent: Monday, August 8, 2016 10:13:26 AM
Subject: [PATCH] setroubleshoot: Fix sealert message for capability2

Sealert didn't know "capability2" class which caused capability2
denials (e.g. block_suspend) to be reported as "access" denials.

fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1360392

type=AVC msg=audit(1468324670.938:596175): avc:  denied
{ block_suspend } for  pid=8442 comm="smtp" capability=36
scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=capability2

SELinux is preventing smtp from block_suspend access on the capability2 Unknown.

Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
---
 framework/src/setroubleshoot/signature.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/framework/src/setroubleshoot/signature.py b/framework/src/setroubleshoot/signature.py
index 77ecc35..1f60c74 100755
--- a/framework/src/setroubleshoot/signature.py
+++ b/framework/src/setroubleshoot/signature.py


@@ -212,6 +212,7 @@ class_dict['process'] = _("process")
 class_dict['filesystem'] = _("filesystem")
 class_dict['node'] = _("node")
 class_dict['capability'] = _("capability")
+class_dict['capability2'] = _("capability2")
 
 def translate_class(tclass):
     if tclass in list(class_dict.keys()):
@@ -447,7 +448,7 @@ class SEFaultSignatureInfo(XmlSerialize):
         if self.tclass == "process":
             return P_(_("SELinux is preventing %s from using the %s access on a process."), _("SELinux is preventing %s from using the '%s' accesses on a process."), len(self.sig.access)) % (self.spath, ", ".join(self.sig.access))
 
-        if self.tclass == "capability":
+        if self.tclass in ["capability", "capability2"]:
             return P_(_("SELinux is preventing %s from using the %s capability."), _("SELinux is preventing %s from using the '%s' capabilities."), len(self.sig.access)) % (self.spath, ", ".join(self.sig.access))
         if self.tpath == "(null)":
             return P_(_("SELinux is preventing %s from %s access on the %s labeled %s."), _("SELinux is preventing %s from '%s' accesses on the %s labeled %s."), len(self.sig.access)) % (self.spath, ", ".join(self.sig.access), translate_class(self.tclass), self.tcontext.type)
-- 
2.5.5

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux