dovecot_auth_t wants capability audit_write and netlink_audit_socket create
Paul Howarth
paul at city-fan.org
Sun Jun 17 14:27:25 UTC 2007
On Tue, 2007-06-05 at 15:51 -0700, John Lindgren wrote:
> Just to close this thread out:
>
> I upgraded to:
> # rpm -qa|grep selinux-policy
> selinux-policy-targeted-2.6.4-13.fc7
> selinux-policy-2.6.4-13.fc7
> selinux-policy-devel-2.6.4-13.fc7
>
> removed the the local.pp I made earlier:
> # semodule -r local
>
> forced a reload of the policy:
> # semodule -R
>
> rotated the audit log:
> # logrotate -f /etc/logrotate.d/audit
>
> Then I went and exercised the mail system, sendmail, mailman,
> MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I
> remember when it was simpler.
>
> took a look at the fresh audit.log
> # audit2allow -a
>
> And there were all the usual suspects:
> #============= clamscan_t ==============
> allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name };
> allow clamscan_t clamd_var_lib_t:file { write create unlink };
> allow clamscan_t initrc_tmp_t:dir { search setattr read create write
> getattr rmd
> ir remove_name add_name };
> allow clamscan_t initrc_tmp_t:file { write getattr read lock create
> unlink };
> allow clamscan_t tmpfs_t:dir { read search getattr };
> allow clamscan_t tmpfs_t:file { read getattr };
> allow clamscan_t var_spool_t:file { read write };
>
> #============= httpd_t ==============
> allow httpd_t pop_port_t:tcp_socket name_connect;
>
> #============= procmail_t ==============
> allow procmail_t var_spool_t:file read;
>
> #============= system_mail_t ==============
> allow system_mail_t httpd_t:file read;
>
> But notice, NO DOVECOT!
>
>
> made a module:
> # cat /var/log/audit/audit.log | audit2allow -M localMAIL
>
> installed it:
> # semodule -i localMAIL.pp
>
> put selinux back into enforce:
> # setenforce 1
>
> and re-rotated the log:
> # logrotate -f /etc/logrotate.d/audit
>
> Then sat back and waited for the phone to ring... {quiet}
>
> Confirmed with:
> # audit2allow -a
>
> And got nothing. Everything working great now.
>
> New policy package fixed dovecot problem, Thanks Again.
I've still got a problem with dovecot-auth (selinux-policy-2.6.4-14.fc7)
I needed to add the following:
# Allow dovecot to check passwords
allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans };
before dovecot-auth could run /sbin/unix-update and authenticate IMAP
clients.
Paul.
More information about the fedora-selinux-list
mailing list