-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/11/2012 06:58 AM, Matej Cepl wrote:
> Hi,
>
> I have found that I have my server (running RHEL 6 with plenty of EPEL
> stuff, most interesting here is probably Zarafa) is still in the permissive
> mode. Before switching to enforcing again I run ausearch -m AVC -ts
> this-week and got the attached list of AVC denials. I am not sure what
> about these, but before I blindly file bugs into bugzilla (or blindly
> switch on various booleans), I thought to ask about advice here.
>
> [root@luther selinux-research]# audit2allow <avc-this-week.txt \ |grep -v
> '^#'|grep -v '^\s*$' allow httpd_t postfix_public_t:dir search; allow
> httpd_t postfix_public_t:fifo_file { write getattr open }; allow httpd_t
> postfix_spool_maildrop_t:dir { write remove_name search add_name }; allow
> httpd_t postfix_spool_maildrop_t:file { rename write getattr setattr read
> create open }; allow httpd_t postfix_spool_t:dir search; # is
> httpd_can_sendmail --> off really to blame? Or there is some weird #
I do not know, but I would figure these should require httpd_can_sendmail, but
not sure if boolean would provide all of these.
> interaction between Zarafa webmail and postfix?
>
> allow httpd_t self:process setrlimit; # this just happened once, and I
> don't feel well about switching the httpd_setrlimit boolean on without
> knowing why it is required.
>
> My booleans related to http:
>
> [root@luther selinux-research]# getsebool -a|grep http
> allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off
> allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off
> httpd_builtin_scripting --> on httpd_can_check_spam --> off
> httpd_can_network_connect --> off httpd_can_network_connect_cobbler -->
> off httpd_can_network_connect_db --> off httpd_can_network_memcache -->
> off httpd_can_network_relay --> off httpd_can_sendmail --> off
> httpd_dbus_avahi --> on httpd_enable_cgi --> on httpd_enable_ftp_server -->
> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_manage_ipa
> --> off httpd_read_user_content --> off httpd_setrlimit --> off
> httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on
> httpd_unified --> on httpd_use_cifs --> off httpd_use_gpg --> off
> httpd_use_nfs --> off httpd_use_openstack --> off [root@luther
> selinux-research]#
>
> Thanks for any advice,
>
> Matěj
>
>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlApD9EACgkQrlYvE4MpobNyrwCfbXYtp1pJB78ly//DfuwsK9Ye
7TAAn3YbnEolurqoVr+AhfdkxC7fOfPL
=ecVy
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
