dovecot_auth_t wants capability audit_write and netlink_audit_socket create

John Lindgren nwaero at northwest-aero.com
Tue Jun 5 22:51:25 UTC 2007 

Just to close this thread out:

I upgraded to:
# rpm -qa|grep selinux-policy
selinux-policy-targeted-2.6.4-13.fc7
selinux-policy-2.6.4-13.fc7
selinux-policy-devel-2.6.4-13.fc7

removed the the local.pp I made earlier:
# semodule -r local

forced a reload of the policy:
# semodule -R

rotated the audit log:
# logrotate -f /etc/logrotate.d/audit

Then I went and exercised the mail system, sendmail, mailman, 
MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I 
remember when it was simpler.

took a look at the fresh audit.log
# audit2allow -a

And there were all the usual suspects:
#============= clamscan_t ==============
allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name };
allow clamscan_t clamd_var_lib_t:file { write create unlink };
allow clamscan_t initrc_tmp_t:dir { search setattr read create write 
getattr rmd
ir remove_name add_name };
allow clamscan_t initrc_tmp_t:file { write getattr read lock create 
unlink };
allow clamscan_t tmpfs_t:dir { read search getattr };
allow clamscan_t tmpfs_t:file { read getattr };
allow clamscan_t var_spool_t:file { read write };

#============= httpd_t ==============
allow httpd_t pop_port_t:tcp_socket name_connect;

#============= procmail_t ==============
allow procmail_t var_spool_t:file read;

#============= system_mail_t ==============
allow system_mail_t httpd_t:file read;

But notice, NO DOVECOT!


made a module:
# cat /var/log/audit/audit.log | audit2allow -M localMAIL

installed it:
# semodule -i localMAIL.pp

put selinux back into enforce:
# setenforce 1

and re-rotated the log:
# logrotate -f /etc/logrotate.d/audit

Then sat back and waited for the phone to ring... {quiet}

Confirmed with:
# audit2allow -a

And got nothing. Everything working great now.

New policy package fixed dovecot problem, Thanks Again.

John

John Lindgren wrote:
> Thank You for your help!
> 
> John
> 
> Daniel J Walsh wrote:
> 
>> John Lindgren wrote:
>>
>>> I defined the other permissions in local.te so that it would compile 
>>> and then installed local.pp. Switching to setenforce 1 dovecot logins 
>>> with pam now WORK!... as far as I can tell. ;)
>>>
>>> Will upgrade to the new policy later tonight.
>>>
>>> Should I then remove the local.pp I just compiled and see what 
>>> messages I get?
>>>
>>> John
>>
>>
>> yes
>>
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list