On Wed, 2008-03-05 at 15:16 +0000, Arthur Dent wrote: > Hello Chaps, > > I'm running SELinux in permissive mode on F8. I was thinking of switching to > enforcing mode and took a peek inside /var/log/messages to see what denials > SELinux is currently reporting. I was *horrified* - there must be thousands > there! Doing "cat /var/log/audit/audit.log" is even worse - it takes about a minute to > scroll through! > > They mainly relate to procmail, clamd and samba but I get many reports of > incorrectly labelled files (file_t). > > I want to tackle these one step at a time and I think the first place to start > is with the incorrectly labelled files. > > I have tried the "touch ./autorelabel; reboot" trick (several times!) but I > still get the same errors. > > As a mater of interest, I have a procmail recipe which writes a copy of every > mail I receive to a backup area on my /dev/sda8 partition, mounted as > /mnt/backup/ by fstab. (It is an ext3 partition). > > I have tried doing: > "restorecon -v -R /mnt/backup" > and even: > "fixfiles relabel" > > on this partition, but I gather this will not work. I think that I must > somehow define a policy for this (and probably other) partition(s), but I am > unclear as to how to go about this. You might try something like this, assuming that you only store mail files under /mnt/backup and only procmail requires access: semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?" restorecon -v -R /mnt/backup If you need other things to be able to access it, then we'll have to know more to decide how to label it, or you could possibly move it to a subdir of /mnt/backup like /mnt/backup/spool that can be devoted to procmail's use. > I am reasonably familiar with Linux generally, but am a complete SELinux > virgin (and frankly scared silly of it). I normally turn off SELinux as my > first action after installing a distro, but I think it's about time I got to > grips with its security benefits. > > I would be very grateful therefore if someone could hold my hand through this > learning process! > > I have to run this particular box headless and access via ssh so I have to do > everything with command-line tools. > > > Thanks in advance... > > Mark > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list