dovecot_auth_t wants capability audit_write and netlink_audit_socket create
Shintaro Fujiwara
shin216 at xf7.so-net.ne.jp
Tue Jun 5 09:35:52 UTC 2007
2007-06-04 (月) の 21:25 -0400 に Matthew Gillen さんは書きました:
> John Lindgren wrote:
> > Hi,
> > New to this list, not totally new to selinux.
> >
> > Running F7 with everything current (06/04/2007), policy is
> > selinux-policy-targeted-2.6.4-8.fc7.
> >
> > cat /var/log/audit/audit.log:
> > type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write }
> > for pid=13774 comm="dovecot-auth" capability=29
> > scontext=root:system_r:dovecot_auth_t:s0
> > tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
> >
> > type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for
> > pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0
> > tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
> >
> >
> > cat /var/log/audit/audit.log | audit2allow -M local:
> >
> >
> > cat local.te:
> > module local 1.0;
> >
> > require {
> > type dovecot_auth_t;
> > class capability audit_write;
> > class netlink_audit_socket { write nlmsg_relay create read };
> > }
> >
> > #============= dovecot_auth_t ==============
> > allow dovecot_auth_t self:capability audit_write;
> > allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay
> > create read };
> >
> >
> > semodule -i local.pp:
> > libsepol.check_assertion_helper: assertion on line 0 violated by allow
> > dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay };
> > libsepol.check_assertion_helper: assertion on line 0 violated by allow
> > dovecot_auth_t dovecot_auth_t:capability { audit_write };
> > libsepol.check_assertions: 2 assertion violations occured
> > libsemanage.semanage_expand_sandbox: Expand module failed
> > semodule: Failed!
> >
> > Should I add something magical (what, I'm not sure) to the .te to allow
> > this anyway? Or is there something missing from the distribution
> > targeted policy? Or edit the base policy and recompile the whole thing?
> > Or...
> >
> > Anyone else having this problem?
>
> Yep, I am. Got tired of tinkering last night and just put it in permissive
> mode for the time being.
>
> I'm getting slightly different .te file, but ultimately the same 2 assertion
> violations.
>
> Matt
>
Same here ...
I yum installed every selinux related packages.
I made localaudit.pp typing
#audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te
at /usr/share/selinux/devel
#semodule -i localaudit.pp
violation reported by libsepol.chek_assertions
local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
local_login_t local_login_t:capability { audit_write };
local_login_t local_login_t:capability { audit_control };
So,I commented those lines on localaudit.te including require brace.
This time I succeeded installing localaudit.pp.
I restarted my machine setting Enforcing/strict.
During the startup process, I could see Keymap had failed.
I can't login from console.
I typed like a US key not jp106, still I can't.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list