Hi, Working on the Postfix chapter in my SELinux managing confined services book [0] and am having trouble with Postfix/spamassassin. I have got email traversing back and forth just fine, but I am trying to invoke a denial or a problem for which I can document the work-around. spamassassin_can_network seems to be a good Boolean to explain, show the denial and then show the work-around for. This Boolean is off by default, which as far as I can tell would stop spamassassin from launching as a daemon listening on the machine's actual IP/interface. But my problem is that it is launching without a problem and listening on the machine's interface without error. I am assuming that it is working fine because the spamassassin processes are only launching as initrc_t, when it should be transitioning to something else..? # ps -eZ | grep spamd unconfined_u:system_r:initrc_t:s0 3085 ? 00:00:01 spamd unconfined_u:system_r:initrc_t:s0 3087 ? 00:00:00 spamd unconfined_u:system_r:initrc_t:s0 3088 ? 00:00:00 spamd # ls -lZ /etc/init.d/spamassassin -rwxr-xr-x. rootrootsystem_u:object_r:initrc_exec_t:s0 /etc/init.d/spamassassin (I tried labelling this differently to this default setting, to spamd_initrc_exec_t, but to no avail.) # getsebool -a | grep spam spamassassin_can_network --> off spamd_enable_home_dirs --> on Basically I need to make sure spamassassin is starting normally so that the Boolean mentioned will block access. So any help is appreciated, should spamassassin as a daemon transition to something other than initrc_t? And how do I get it to do so? Or am I going down the wrong track to get this Boolean which is off by default to do something which I can demonstrate and fix? Thank you, -- Scott Radvan Content Author, Platform (Installation and Deployment) Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
