-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/02/2010 10:28 AM, Jonathan Kamens wrote: > Hi Daniel, > > Thanks for the response (and thanks to Pinto Elia as well). > > On 11/2/2010 8:12 AM, Daniel J Walsh wrote: >> HOw about trying >> >> postfix_domtrans_master(procmail_t) > I have no idea what this means. Is it preferable to just using > audit2allow to figure out exactly which permissions are needed and > create a new policy allowing them? >> There is a dontaudit rule that is blocking you from receiving the >> message in the audit log. You can turn off dontaudit rules by executing >> >> # semodule -DB >> >> Turn them back on by executing >> >> # semodule -B > Yes, that was it. Thanks. > > jik > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > audit2allow will only translate the avc's as they happen. SELinux policy lanquage includes a full interace lanquage that can even be generated by audit2allow -R. The interfaces are defined under /usr/share/selinux/devel/include. domtrans functions indicate that the application running as procmail_t will start a process running as postfix_master_t, if it executes a file labeled postfix_master_exec_t. postfix_master_t probably has all of the rules needed to run postfix_master. Sometimes if you are only going to use a small part of the application you do not want to transition. It all depends on your security goals. If you expect postfix_master to be able to do everything postfix_master can do, it is better to transition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzQLS4ACgkQrlYvE4MpobOfSQCg3qQRgPfzMQVWerogCWrsCaO8 FE4An3kU0dv8H6TP+Kg6SNi+jdn4uYq2 =IXbX -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
