-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/21/2013 01:26 PM, Jean-David Beyer wrote: > On 01/21/2013 11:31 AM, Daniel J Walsh wrote: >> On 01/19/2013 07:34 AM, Jean-David Beyer wrote: >>> On 01/18/2013 10:30 AM, Jean-David Beyer wrote: >>>> On 01/18/2013 09:24 AM, Miroslav Grepl wrote: > >>> [snip] >>>>> Hi, I believe we should collect all AVC msgs. Could you execute >>>>> >>>>> # semanage permissive -a system_mail_t > >>> Should I turn this off again? I.e., set it to 'enforcing'? >> Yes once you are done collecting the AVC's and are happy that it is >> working properly. > >> semanage permissive -d system_mail_t > > OK. I did that. > > These wemanage things take a long time. I have a 4-core 1.8 GHz Xeon > processor. They tend to hog an entire core for around (but less than) a > minute. What is it doing with all that time? The they have to hit a > database for each program and file in the system or something? > >> We do not currently allow log files mailed off the system by the system >> mailer. I guess we could add a boolean for this. but I do not believe we >> should allow this by default. > > Was this in response to something I said? Because, if so, I forgot what I > may have said that prompted this. > > In the future, I will be wanting to use shell scripts to send e-mails from > one computer to another on my l.a.n. Right now, I cannot do it because I am > running the default firewall that comes with RHEL 6 and CentOS 5. I > certainly can SSH files between the machines with no trouble, since the > default firewall allows that. And apparently so does SELinux. I know I can > e-mail stuff off my machine using Thunderbird, and I do not suppose > anything stops me from attaching a log file, though I never tried that. -- > selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Well the AVC you were showing was emailing a cron log file. Which SELinux blocks and you overrode with a policy module which is fine. My point was we Fedora/RHEL do not to allow this by default and allow customers/users to override the defaults. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD9qB0ACgkQrlYvE4MpobOdOQCdGOdLybTfMcSKlCi3It+UU8xy IlYAn3zcAojOoRDa29iH9Kw8qb892Hi5 =1XEu -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
