-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/29/2012 08:55 AM, Dominick Grift wrote: > On Tue, 2012-05-29 at 13:50 +0100, lejeczek wrote: >> hi everybody >> >> I wonder why dovecot when run with spool in users home's would need >> allow_ypbind=1 would you know? > > What AVC denials are you seeying? Setroubleshoot and/or audit2why does not > make optimal suggestions. > >> thanks! >> >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux Yes setroubleshoot and audit2allow/audit2why is just looking for a boolean that would allow the access. allow_ypbind is a very powerful boolean which allows all apps that call getpw to listen on any port and to connect to any port. Unless you are actually using NIS/YP in your environment you should never turn on allow_ypbind. Most likely dovecot is to connect or listen on an unexpected port. So you could either add custom policy or modify the ports that dovecot listens/connects too. Best to show us the AVC.s -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/E1EUACgkQrlYvE4MpobNcCwCgzE8sZUOhFsmB1gooWrbVyksC rsQAoJslvI6V9lhPzaBfmL22/XfEbEyJ =0bYj -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
