Thanks for the advice. Will see what I can get done this evening. On 04/26/2017 06:27 PM, Gordon Messmer wrote: > On 04/26/2017 12:29 AM, Robert Moskowitz wrote: >> But the policy generates errors. I will have to submit a bug report, >> it seems > > > A bug report would probably be helpful. > > I'm looking back at the message you wrote describing errors in > ld-2.17.so. I think what's happening is that the policy on your > system includes a silent rule that somehow breaks your system. You'll > need to turn on debugging (logging the otherwise silent AVCs) to > figure this out, in order to provide information that the maintainers > can use to actually fix the problem. > > So, similar to the previous process: > > 1: semodule -DB > 2: setenforce permissive > 3: tail -f /var/log/audit/audit.log | grep AVC > 4: use the service, exercise each function that's constrained by the > existing policy > 5: copy and paste the output from the terminal used for #2 into > "audit2allow -M <modulename>" > 6: setenforce enforcing > 7: semodule -B > > You'll want to do this with your custom policy installed. In the > terminal that's following audit.log, you should now see AVCs logged > that you didn't before. Please send them to the list. > > If you're only interested in resolving your problem, it should be > sufficient to build one new module with the AVCs logged here. If you > want to produce a useful bug report and fix the problem for the > future, for everyone, you need to first get back into enforcing mode > and THEN build a new module with each individual AVC, installing each > one and then testing dovecot, until you resolve the problem, and then > removing all of the other new modules until you confirm that you've > found one (or a minimal combination) of rules that is causing dovecot > to crash and log a backtrace. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >