dovecot_auth_t wants capability audit_write and netlink_audit_socket create
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 11 17:36:07 UTC 2007
John Lindgren wrote:
> Just to close this thread out:
>
> I upgraded to:
> # rpm -qa|grep selinux-policy
> selinux-policy-targeted-2.6.4-13.fc7
> selinux-policy-2.6.4-13.fc7
> selinux-policy-devel-2.6.4-13.fc7
>
> removed the the local.pp I made earlier:
> # semodule -r local
>
> forced a reload of the policy:
> # semodule -R
>
> rotated the audit log:
> # logrotate -f /etc/logrotate.d/audit
>
> Then I went and exercised the mail system, sendmail, mailman,
> MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I
> remember when it was simpler.
>
> took a look at the fresh audit.log
> # audit2allow -a
>
> And there were all the usual suspects:
> #============= clamscan_t ==============
> allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name };
> allow clamscan_t clamd_var_lib_t:file { write create unlink };
clamscan writes file in /var/lib/clamav?
>
> allow clamscan_t initrc_tmp_t:dir { search setattr read create write
> getattr rmd
> ir remove_name add_name };
This should probably be dontaudited especially the create/write parts
> allow clamscan_t initrc_tmp_t:file { write getattr read lock create
> unlink };
> allow clamscan_t tmpfs_t:dir { read search getattr };
> allow clamscan_t tmpfs_t:file { read getattr };
What are these for?
> allow clamscan_t var_spool_t:file { read write };
>
This looks like something is mislabeled? What file is labeled
var_spool_t that clamscan is trying to write?
> #============= httpd_t ==============
> allow httpd_t pop_port_t:tcp_socket name_connect;
>
setsebool -P httpd_can_sendmail=1
should fix this
> #============= procmail_t ==============
> allow procmail_t var_spool_t:file read;
>
Same mislabeled file from above?
> #============= system_mail_t ==============
> allow system_mail_t httpd_t:file read;
Why would system mail be looking at httpd process data?
>
> But notice, NO DOVECOT!
>
>
> made a module:
> # cat /var/log/audit/audit.log | audit2allow -M localMAIL
>
> installed it:
> # semodule -i localMAIL.pp
>
> put selinux back into enforce:
> # setenforce 1
>
> and re-rotated the log:
> # logrotate -f /etc/logrotate.d/audit
>
> Then sat back and waited for the phone to ring... {quiet}
>
> Confirmed with:
> # audit2allow -a
>
> And got nothing. Everything working great now.
>
> New policy package fixed dovecot problem, Thanks Again.
>
> John
>
> John Lindgren wrote:
>> Thank You for your help!
>>
>> John
>>
>> Daniel J Walsh wrote:
>>
>>> John Lindgren wrote:
>>>
>>>> I defined the other permissions in local.te so that it would
>>>> compile and then installed local.pp. Switching to setenforce 1
>>>> dovecot logins with pam now WORK!... as far as I can tell. ;)
>>>>
>>>> Will upgrade to the new policy later tonight.
>>>>
>>>> Should I then remove the local.pp I just compiled and see what
>>>> messages I get?
>>>>
>>>> John
>>>
>>>
>>> yes
>>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
More information about the selinux
mailing list