Sorry, I know this isn't fedora (CentOS 5 actually) but I believe this
may be a more generic situation.
I recently was trying to troubleshoot an issue where a process spawned
off under the dovecot_t process type and needed to create files under /tmp
(tmp_t).
This wasn't obvious as there where no denial messages in audit for
tmp_t. Even using "semodule -DB" didn't show denial messages. All I
knew was the process was trying to read/write files and was getting
access denied. I just didn't know where or why.
Eventually an strace on the process tree showed the access attempt to
/tmp. Since I knew policy would be required to create tmp types I went
ahead and added tmp file transitions and appropriate supporting
permissions around the new dovecot_tmp_t type. This fixed the problem.
What is surprising to me is that there were no denial messages related
to tmp_t or dovecot_t. Nothing, regardless of permissive vs enforcing,
or semodule -DB set.
Any clue as to why this wouldn't trigger a log message?
This is a strict, not targeted policy, yes I know very old school.
Thanks,
David
Show replies by date