dovecot_auth_t wants capability audit_write and netlink_audit_socket create
Matthew Gillen
matt at gillens.us
Tue Jun 5 01:25:51 UTC 2007
John Lindgren wrote:
> Hi,
> New to this list, not totally new to selinux.
>
> Running F7 with everything current (06/04/2007), policy is
> selinux-policy-targeted-2.6.4-8.fc7.
>
> cat /var/log/audit/audit.log:
> type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write }
> for pid=13774 comm="dovecot-auth" capability=29
> scontext=root:system_r:dovecot_auth_t:s0
> tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
>
> type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for
> pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0
> tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
>
>
> cat /var/log/audit/audit.log | audit2allow -M local:
>
>
> cat local.te:
> module local 1.0;
>
> require {
> type dovecot_auth_t;
> class capability audit_write;
> class netlink_audit_socket { write nlmsg_relay create read };
> }
>
> #============= dovecot_auth_t ==============
> allow dovecot_auth_t self:capability audit_write;
> allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay
> create read };
>
>
> semodule -i local.pp:
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> dovecot_auth_t dovecot_auth_t:capability { audit_write };
> libsepol.check_assertions: 2 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
>
> Should I add something magical (what, I'm not sure) to the .te to allow
> this anyway? Or is there something missing from the distribution
> targeted policy? Or edit the base policy and recompile the whole thing?
> Or...
>
> Anyone else having this problem?
Yep, I am. Got tired of tinkering last night and just put it in permissive
mode for the time being.
I'm getting slightly different .te file, but ultimately the same 2 assertion
violations.
Matt
More information about the selinux
mailing list