Bug 474233
Summary: | selinux prevents dovecot-auth appending to faillog | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Philip Goisman <goisman> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE <qe-baseos-auto> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.4 | CC: | jeevanullas |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-02-07 11:52:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Philip Goisman
2008-12-02 21:41:07 UTC
Hmm, Seems like this policy works:- policy_module(mydovecot, 1.0) require { type dovecot_auth_t; type var_log_t; type faillog_t; } #============= dovecot_auth_t ============== allow dovecot_auth_t faillog_t:file { read write getattr append }; allow dovecot_auth_t var_log_t:dir search; Fixed in selinux-policy-2.4.6-198.el5.src.rpm If this is fixed in selinux-policy-2.4.6-198.el5.src.rpm shouldn't el5 auto updates have updated selinux by now? I currently have the following: selinux-policy-strict-2.4.6-137.1.el5_2 selinux-policy-2.4.6-137.1.el5_2 selinux-policy-devel-2.4.6-137.1.el5_2 selinux-policy-targeted-2.4.6-137.1.el5_2 selinux-policy-mls-2.4.6-137.1.el5_2 But on the FC9 systems I just received the following update: selinux-policy-devel-3.3.1-111.fc9.noarch selinux-policy-3.3.1-111.fc9.noarch selinux-policy-targeted-3.3.1-111.fc9.noarch Regarding Deependra's reply do I just create another pp file like mydovecotfix.pp with the code from comment #1, and then run semodule -i mydovecotfix.pp? Ok, I'm an idiot. I found http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 which tells me what to do with Deependra's code. I'll try that and let you all know if that works. Meanwhile, do I need to build selinux-policy from source, or will the update of elinux-policy-2.4.6-198.el5 automatically occur? Deependra's code gave some errors. So, I modified it as follows: module mydovecotauth 1.0; require { type dovecot_auth_t; type var_log_t; type faillog_t; class dir search; class file read; class file write; class file getattr; class file append; } #============= dovecot_auth_t ============== allow dovecot_auth_t faillog_t:file { read write getattr append }; allow dovecot_auth_t var_log_t:dir search; This compiled. So, I loaded it. And, faillog is updated on a failed password entry as expected. Thank you Deependra and http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385. Hopefully selinux-policy-2.4.6-198.el5 will be in the RHEL5.3 update. |