Hide Forgot
Description of problem: Testing out dovecot on EL6.1, seeing: type=AVC msg=audit(1319755026.871:90): avc: denied { sys_nice } for pid=2602 comm="auth" capability=23 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=capability type=AVC msg=audit(1319755026.871:90): avc: denied { setsched } for pid=2602 comm="auth" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:system_r:dovecot_auth_t:s0 tclass=process Version-Release number of selected component (if applicable): selinux-policy-3.7.19-93.el6_1.7.noarch Seems to happen when a user logs in. Doesn't appear to affect anything.
cat /usr/include/linux/capability.h ... /* Allow raising priority and setting priority on other (different UID) processes */ /* Allow use of FIFO and round-robin (realtime) scheduling on own processes and setting the scheduling algorithm used by another process. */ /* Allow setting cpu affinity on other processes */ #define CAP_SYS_NICE 23 Looks liked dovecot_auth_t is changing #2 /* Allow use of FIFO and round-robin (realtime) scheduling on own processes and setting the scheduling algorithm used by another process. */ I just added this to F16 policy. Strange that we have never seen this before. Has there been a new release of dovecot?
Not recently: * Thu Jan 13 2011 Michal Hlavinka <mhlavink> - 1:2.0.9-1 - dovecot updated to 2.0.9 * Thu Jan 13 2011 Michal Hlavinka <mhlavink> - 1:2.0.8-1 - dovecot updated to 2.0.8 (fixes #654226), pigeonhole updated to 0.2.2 Not sure when it got pushed out though.
Fixed in selinux-policy-3.7.19-122.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html