On Monday, January 13, 2025 9:38:51 AM Pacific Standard Time John Griffiths via selinux wrote: > What denials are shown in sealert? > > John Very few now except for "ps" or process listing related denials. Probably some things are "allowed" that don't need to be, but on the theory some selinux protection is better than none, and getting things going in enforcing mode, everything is mostly working. Still looking for weirdnesses and issues on running services [root@blanco ~]# vim local_policy.cil [root@blanco ~]# semodule -r local_policy && semodule -i local_policy.cil libsemanage.semanage_direct_remove_key: Removing last local_policy module (no other local_policy module exists at another priority). [root@blanco ~]# cat local_policy.cil (allow postfix_smtpd_t var_lib_t (file (getattr open read))) (allow httpd_t unconfined_service_t (unix_stream_socket (connectto))) (allow init_t mysqld_port_t (tcp_socket (name_connect))) (allow init_t soundd_port_t (tcp_socket (name_connect))) (allow init_t http_port_t (tcp_socket (name_connect))) (allow init_t user_home_t (file (getattr open read write append))) (allow init_t user_home_t (dir (getattr open read write append))) (allow init_t user_home_t (lnk_file (getattr open read write append))) (allow init_t init_t (process (execmem))) (allow saslauthd_t saslauthd_t (capability (dac_read_search))) [root@blanco ~]# geten getenforce getent [root@blanco ~]# getenforce Enforcing [root@blanco ~]# -- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
