Ivan wrote: > Yes. It seems like it's currently able to run shells (shell_exec_t). > Doesn't appear like it can run python (bin_t). Hmmm... maybe Python should be considered a shell? From the POV of SELinux policy, is the defining characteristic of a shell that it is interactive, or that it runs scripts? I notice that the bash has shell_exec_t, which csh has only bin_t. > Also, I think enumerating what can be run in the postfix policy is not a > very good idea - should have a macro instead, to be called by client > domains. The macro would go into postfix.if. Sure, but my immediate goal is to find the simplest way to change it such that I can turn enforcing back on again on my server. While it would be great to do it in a correct and elegant manner, I think it's going to be a while before I understand this stuff well enough to do that. Eric -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
