A bit of confusion over dkim_milter_t
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Wed Jul 17 22:03:45 UTC 2013
As is my usual state with things SELinux I am a bit confused about a
problem I was trying to troubleshoot involving opendkim.
Essentially I was getting this:
node=host.example.com type=AVC msg=audit(1374091410.640:248952): avc:
denied { name_bind } for pid=4528 comm="opendkim" src=8891
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Ok simple enough I think, so I start to search the rules:
sesearch -s dkim_milter_t -t port_t --allow
Found 4 semantic av rules:
allow dkim_milter_t port_t : tcp_socket { name_bind name_connect } ;
allow dkim_milter_t port_t : udp_socket name_bind ;
allow dkim_milter_t port_type : tcp_socket { recv_msg send_msg } ;
allow dkim_milter_t port_type : udp_socket { recv_msg send_msg } ;
Umm, ok doesn't that pretty much list it as allowed there?
Anyway I pump the denial through audit2allow just for kicks:
#============= dkim_milter_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow dkim_milter_t port_t:tcp_socket name_bind;
Again still a little confused by why this rule is necessary when I can
find it in the policy. But I get even more confused why setting
allow_ypbind to 1 fixes the issue.
What am I missing here?
If you could please CC me I only get the digests.
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130717/a7c8f2da/attachment.sig>
More information about the selinux
mailing list