dovecot_auth_t wants capability audit_write and netlink_audit_socket create

John Lindgren nwaero at northwest-aero.com
Tue Jun 5 03:08:01 UTC 2007


Hi Matthew,
Do you have this as well?
fixfiles check;
matchpathcon_filespec_add:  conflicting specifications for 
/var/lib/dovecot/ssl-parameters.dat and 
/var/run/dovecot/login/ssl-parameters.dat, using 
system_u:object_r:dovecot_var_run_t:s0.

Don't know if there is a connection yet... not expert.

John

Matthew Gillen wrote:
> John Lindgren wrote:
> 
>>Hi,
>>New to this list, not totally new to selinux.
>>
>>Running F7 with everything current (06/04/2007), policy is
>>selinux-policy-targeted-2.6.4-8.fc7.
>>
>>cat /var/log/audit/audit.log:
>>type=AVC msg=audit(1181003986.020:18662): avc:  denied  { audit_write }
>>for  pid=13774 comm="dovecot-auth" capability=29
>>scontext=root:system_r:dovecot_auth_t:s0
>>tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
>>
>>type=AVC msg=audit(1181003859.499:18627): avc:  denied  { create } for
>>pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0
>>tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
>>
>>
>>cat /var/log/audit/audit.log | audit2allow -M local:
>>
>>
>>cat local.te:
>>module local 1.0;
>>
>>require {
>>        type dovecot_auth_t;
>>        class capability audit_write;
>>        class netlink_audit_socket { write nlmsg_relay create read };
>>}
>>
>>#============= dovecot_auth_t ==============
>>allow dovecot_auth_t self:capability audit_write;
>>allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay
>>create read };
>>
>>
>>semodule -i local.pp:
>>libsepol.check_assertion_helper: assertion on line 0 violated by allow
>>dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay };
>>libsepol.check_assertion_helper: assertion on line 0 violated by allow
>>dovecot_auth_t dovecot_auth_t:capability { audit_write };
>>libsepol.check_assertions: 2 assertion violations occured
>>libsemanage.semanage_expand_sandbox: Expand module failed
>>semodule: Failed!
>>
>>Should I add something magical (what, I'm not sure) to the .te to allow
>>this anyway? Or is there something missing from the distribution
>>targeted policy? Or edit the base policy and recompile the whole thing?
>>Or...
>>
>>Anyone else having this problem?
> 
> 
> Yep, I am.  Got tired of tinkering last night and just put it in permissive
> mode for the time being.
> 
> I'm getting slightly different .te file, but ultimately the same 2 assertion
> violations.
> 
> Matt
> 




More information about the fedora-selinux-list mailing list