* Re: Weird un-audited denial on tmp_t
[not found] <d66c6965-1f79-42fe-8a91-359fd22e71f9@email.android.com>
@ 2014-07-02 4:08 ` dE
0 siblings, 0 replies; only message in thread
From: dE @ 2014-07-02 4:08 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1372 bytes --]
On 07/01/14 22:43, David wrote:
> Sorry, I know this isn't fedora (CentOS 5 actually) but I believe this
> may be a more generic situation.
>
> I recently was trying to troubleshoot an issue where a process spawned
> off under the dovecot_t process type and needed to create files under /tmp
> (tmp_t).
>
> This wasn't obvious as there where no denial messages in audit for
> tmp_t. Even using "semodule -DB" didn't show denial messages. All I
> knew was the process was trying to read/write files and was getting
> access denied. I just didn't know where or why.
>
> Eventually an strace on the process tree showed the access attempt to
> /tmp. Since I knew policy would be required to create tmp types I went
> ahead and added tmp file transitions and appropriate supporting
> permissions around the new dovecot_tmp_t type. This fixed the problem.
>
> What is surprising to me is that there were no denial messages related
> to tmp_t or dovecot_t. Nothing, regardless of permissive vs enforcing,
> or semodule -DB set.
>
> Any clue as to why this wouldn't trigger a log message?
>
> This is a strict, not targeted policy, yes I know very old school.
>
> Thanks,
> David
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
After you've removed all dontaudits, does seinfo shows any Dontaudit?
[-- Attachment #2: Type: text/html, Size: 2259 bytes --]
^ permalink raw reply [flat|nested] only message in thread