Question about split betweeen delivered and local policy
David Highley
dhighley at highley-recommended.com
Fri Jul 10 05:05:31 UTC 2009
"Daniel J Walsh wrote:"
>
> On 07/09/2009 03:51 PM, Daniel Fazekas wrote:
> > On Jul 9, 2009, at 21:36, David Highley wrote:
> >
> >> For example, email seems to always need selinux policy changes so that
> >> avc's are not blocking spamassassin and pyzor.
> >
> > SpamAssassin and Pyzor should be working fine without any further
> > tweaking since some Fedora releases ago. Some time around Fedora 8 or 9.
> >
> > Are you using the spamassassin service (spamd)?
> > Are the relevant spamassassin selinux bools enabled?
> >
> > # getsebool -a | grep spam
> > spamassassin_can_network --> on
> > spamd_enable_home_dirs --> on
> >
> > If they still don't work properly this way, you should check if the
> > contexts went wrong with some files in the home directories.
> > restorecon -Rv /root /home
> >
> > I think if you aren't doing anything unusual yet basic packages break,
> > the recommended course of action is to file a Bugzilla report rather
> > than try and patch it with your custom local policy.
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Well as we move forward we are putting more and more labels in the homedir. So just maintaining the labels on the Homedir, from Previous to new is not going to work.
>
> If we ever want to get confined user applications to work in the homedir, we got to get a mechanism to set these labels at creation time. In Rawhide right now, I have a restorecond running in user space watching for creation of files in the homedir to make sure they are labeled correct. So if a user just executes mkdir .ssh or mkdir public_html it gets labeled correctly without the user having to be an SELinux expert. Similarly tools like firefox/nsplugin and other tools rely on the homedir being correctly labeled to add confinement.
I agree, home directories are problematic. I submitted 5 bug reports.
There were some avc's that I did not submit as they maybe tied up in the
gdm respawing bug 499489. Installed the unreleased patch which fixed the
issue of not being able to log in and I'm not seeing the avc's that were
occurring.
Is there away to un-compile the policies we created? Thought it might be
of interest to post or provide for the bug reports. I'm assuming that we
would just remove the policy file if we wanted to revert back after if
new policy updates fix issues we have ran into.
Also needed to do label changes for the Mythtv packages from the
rpmfusion repo to get the web interface to work. These are new packages,
we will provide feed back to them.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list