On 07/10/2009 01:05 AM, David Highley wrote:
"Daniel J Walsh wrote:"
On 07/09/2009 03:51 PM, Daniel Fazekas wrote:
On Jul 9, 2009, at 21:36, David Highley wrote:
For example, email seems to always need selinux policy changes so that
avc's are not blocking spamassassin and pyzor.
SpamAssassin and Pyzor should be working fine without any further
tweaking since some Fedora releases ago. Some time around Fedora 8 or 9.
Are you using the spamassassin service (spamd)?
Are the relevant spamassassin selinux bools enabled?
# getsebool -a | grep spam
spamassassin_can_network --> on
spamd_enable_home_dirs --> on
If they still don't work properly this way, you should check if the
contexts went wrong with some files in the home directories.
restorecon -Rv /root /home
I think if you aren't doing anything unusual yet basic packages break,
the recommended course of action is to file a Bugzilla report rather
than try and patch it with your custom local policy.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well as we move forward we are putting more and more labels in the homedir. So just maintaining the labels on the Homedir, from Previous to new is not going to work.
If we ever want to get confined user applications to work in the homedir, we got to get a mechanism to set these labels at creation time. In Rawhide right now, I have a restorecond running in user space watching for creation of files in the homedir to make sure they are labeled correct. So if a user just executes mkdir .ssh or mkdir public_html it gets labeled correctly without the user having to be an SELinux expert. Similarly tools like firefox/nsplugin and other tools rely on the homedir being correctly labeled to add confinement.
I agree, home directories are problematic. I submitted 5 bug reports.
There were some avc's that I did not submit as they maybe tied up in the
gdm respawing bug 499489. Installed the unreleased patch which fixed the
issue of not being able to log in and I'm not seeing the avc's that were
occurring.
Is there away to un-compile the policies we created? Thought it might be
of interest to post or provide for the bug reports. I'm assuming that we
would just remove the policy file if we wanted to revert back after if
new policy updates fix issues we have ran into.
semodule -r YOURPOL
Will remove a policy module.
Also needed to do label changes for the Mythtv packages from the
rpmfusion repo to get the web interface to work. These are new packages,
we will provide feed back to them.
Send me the new labels.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
