My exim config needs to speak to MySQL (for greylisting).
To allow this to work I needed to run:
setsebool -P exim_can_connect_db 1
And that seems to do the trick.
Now sealert tells me:
SELinux is preventing /usr/sbin/exim from getattr access on the file /usr/share/mysql/charsets/Index.xml.
If you want to allow exim to have getattr access on the Index.xml file
Then you need to change the label on /usr/share/mysql/charsets/Index.xml
Do
# semanage fcontext -a -t FILE_TYPE '/usr/share/mysql/charsets/Index.xml'
It then lists a whole set of suggested types.
The label on /usr/share/mysql/charsets/Index.xml is system_u:object_r:usr_t:s0
I picked exim_t (which seemed reasonable - just on the name). But when I try I
get permission denied, a bit of digging tells me that exim_t is a domain for a
process rather than a type for a file.
Questions:
a) How do I work out what type to set the file to ?
b) I would presumably need to do so for every file in /usr/share/mysql/charsets/
c) Is changing the type on a file so that the MTA can access it the right thing
anyway, should I not be allowing exim access to usr_t instead ... but would
that not open things to wide ?
d) More generally: where do I look to get a list of all the XXX_t, what they
are, what they are supposed to be used for, ... so that I can work out what
the best choice is ?
Regards
PS I am using CentOS 6.3.
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
