Re: Weird un-audited denial on tmp_t

Re: Weird un-audited denial on tmp_t

[dE]

[-- Attachment #1: Type: text/plain, Size: 1372 bytes --]

On 07/01/14 22:43, David wrote:
> Sorry, I know this isn't fedora (CentOS 5 actually) but I believe this
> may be a more generic situation.
>
> I recently was trying to troubleshoot an issue where a process spawned
> off under the dovecot_t process type and needed to create files under /tmp
> (tmp_t).
>
> This wasn't obvious as there where no denial messages in audit for
> tmp_t.  Even using "semodule -DB" didn't show denial messages.  All I
> knew was the process was trying to read/write files and was getting
> access denied.  I just didn't know where or why.
>
> Eventually an strace on the process tree showed the access attempt to
> /tmp.  Since I knew policy would be required to create tmp types I went
> ahead and added tmp file transitions and appropriate supporting
> permissions around the new dovecot_tmp_t type.  This fixed the problem.
>
> What is surprising to me is that there were no denial messages related
> to tmp_t or dovecot_t.  Nothing, regardless of permissive vs enforcing,
> or semodule -DB set.
>
> Any clue as to why this wouldn't trigger a log message?
>
> This is a strict, not targeted policy, yes I know very old school.
>
> Thanks,
> David
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

After you've removed all dontaudits, does seinfo shows any Dontaudit?

[-- Attachment #2: Type: text/html, Size: 2259 bytes --]