On 04/04/2018 01:55 PM, leam hall wrote:
On Wed, Apr 4, 2018 at 6:19 AM, Lukas Vrabec lvrabec@redhat.com wrote:
On 04/02/2018 07:20 PM, leam hall wrote:
On Fri, Mar 30, 2018 at 5:18 PM, Simon Sekidde ssekidde@redhat.com wrote:
Leam,
This rule should already exist in the current policy to suppress the alerts
dontaudit postfix_domain kernel_t : system module_request ;
Didn't see it. Stock and patched RHEL 6.
This could be kernel bug. We had a discussion about it: https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c5193578...
But if you're running RHEL6, the bug shouldn't be there. If you're still see these AVCs please dontaudit it like it's mentioned in email from Simon.
Lukas.
Not sure we want to hide the denial. Doesn't that mean SELinux is preventing Postfix from doing something it thinks it should do? Wouldn't allowing it be better, assuming Postfix is supposed to do whatever?
This SELinux denial is caused by bug in kernel, most probably postfix doesn't really need request kernel for add new module. You have 2 options here:
First one, dontaudit it, which means that it won't be allowed and you want be spammed about this in audit log.
Second one, I don't dontaudit it and wait while it will be (hopefully) fixed in kernel.
Lukas.
Or do I not understand?
Leam