-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/22/2011 09:58 AM, Paul Howarth wrote:
On 06/11/2011 02:57 PM, Dominick Grift wrote:
>
>
> On Sat, 2011-06-11 at 14:55 +0100, Arthur Dent wrote:
>
>>>
>>>> Anyway, the above AVC looked strange and I didn't want to
>>>> create a local policy module for it until I had checked
>>>> with the chaps here...
>>>
>>> This does not look particularly strange. The pipe is probably
>>> created by systemd.
>>
>> So, should I create a policy module to allow it?
>>
>
> Did you notice any loss of functionality? Anyways i do not see a
> problem with allowing it.
I'm getting this when I restart opendkim on F-15:
type=AVC msg=audit(1316699607.377:150425): avc: denied { read }
for pid=4151 comm="systemd-tty-ask" name="136:0" dev=tmpfs
ino=209876 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0
tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
type=AVC msg=audit(1316699607.377:150425): avc: denied { open }
for pid=4151 comm="systemd-tty-ask" name="136:0" dev=tmpfs
ino=209876 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0
tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1316699607.377:150425): arch=c000003e
syscall=2 success=yes exit=3 a0=14c60a0 a1=80900
a2=fffffffffffffed0 a3=7ffffdee5c80 items=1 ppid=4150 pid=4151
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 ses=9220 comm="systemd-tty-ask"
exe="/bin/systemd-tty-ask-password-agent"
subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)
type=CWD msg=audit(1316699607.377:150425): cwd="/"
type=PATH msg=audit(1316699607.377:150425): item=0
name="/run/systemd/ask-password-block/136:0" inode=209876 dev=00:12
mode=010600 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:init_var_run_t:s0
I don't know what's happening here and it doesn't appear to affect
the operation of opendkim, so I'm tempted to dontaudit it rather
than allow it. But what is it actually trying to do?
Paul. -- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
This is allowed in F16/Rawhide policy. Looks like systemd
functionality is being back ported into F15 and selinux-policy has to
adapt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk57UAcACgkQrlYvE4MpobPsWACgnyH76FyuSW41EMJtHKarG0O4
mmsAoK6Q/WDSB0qyFXna9FNVVzGEOgTb
=lY6l
-----END PGP SIGNATURE-----