Re: New to this list, and new to SELinux.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2013 01:26 PM, Jean-David Beyer wrote:
> On 01/21/2013 11:31 AM, Daniel J Walsh wrote:
>> On 01/19/2013 07:34 AM, Jean-David Beyer wrote:
>>> On 01/18/2013 10:30 AM, Jean-David Beyer wrote:
>>>> On 01/18/2013 09:24 AM, Miroslav Grepl wrote:
> 
>>> [snip]
>>>>> Hi, I believe we should collect all AVC msgs. Could you execute
>>>>> 
>>>>> # semanage permissive -a system_mail_t
> 
>>> Should I turn this off again? I.e., set it to 'enforcing'?
>> Yes once you are done collecting the AVC's and are happy that it is 
>> working properly.
> 
>> semanage permissive -d system_mail_t
> 
> OK. I did that.
> 
> These wemanage things take a long time. I have a 4-core 1.8 GHz Xeon 
> processor. They tend to hog an entire core for around (but less than) a
> minute. What is it doing with all that time? The they have to hit a 
> database for each program and file in the system or something?
> 
>> We do not currently allow log files mailed off the system by the system
>> mailer.  I guess we could add a boolean for this. but I do not believe we
>> should allow this by default.
> 
> Was this in response to something I said? Because, if so, I forgot what I
> may have said that prompted this.
> 
> In the future, I will be wanting to use shell scripts to send e-mails from
> one computer to another on my l.a.n. Right now, I cannot do it because I am
> running the default firewall that comes with RHEL 6 and CentOS 5. I
> certainly can SSH files between the machines with no trouble, since the
> default firewall allows that. And apparently so does SELinux. I know I can
> e-mail stuff off my machine using Thunderbird, and I do not suppose
> anything stops me from attaching a log file, though I never tried that. -- 
> selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

Well the AVC you were showing was emailing a cron log file. Which SELinux
blocks and you overrode with a policy module which is fine.  My point was we
Fedora/RHEL do not to allow this by default and allow customers/users to
override the defaults.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlD9qB0ACgkQrlYvE4MpobOdOQCdGOdLybTfMcSKlCi3It+UU8xy
IlYAn3zcAojOoRDa29iH9Kw8qb892Hi5
=1XEu
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux