On 04/04/2018 01:55 PM, leam hall wrote:
On Wed, Apr 4, 2018 at 6:19 AM, Lukas Vrabec
<lvrabec(a)redhat.com> wrote:
> On 04/02/2018 07:20 PM, leam hall wrote:
>> On Fri, Mar 30, 2018 at 5:18 PM, Simon Sekidde <ssekidde(a)redhat.com>
wrote:
>>> Leam,
>>
>>> This rule should already exist in the current policy to suppress the alerts
>>>
>>> dontaudit postfix_domain kernel_t : system module_request ;
>>
>>
>> Didn't see it. Stock and patched RHEL 6.
>>
>
> This could be kernel bug. We had a discussion about it:
>
https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c5193...
>
>
> But if you're running RHEL6, the bug shouldn't be there.
> If you're still see these AVCs please dontaudit it like it's mentioned
> in email from Simon.
>
> Lukas.
Not sure we want to hide the denial. Doesn't that mean SELinux is
preventing Postfix from doing something it thinks it should do?
Wouldn't allowing it be better, assuming Postfix is supposed to do
whatever?
This SELinux denial is caused by bug in kernel, most probably postfix
doesn't really need request kernel for add new module. You have 2
options here:
First one, dontaudit it, which means that it won't be allowed and you
want be spammed about this in audit log.
Second one, I don't dontaudit it and wait while it will be (hopefully)
fixed in kernel.
Lukas.
Or do I not understand?
Leam
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.