https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #3 from Randy Barlow <randy(a)electronsweatshop.com> ---
As noted in
https://bugzilla.redhat.com/show_bug.cgi?id=1429126, I have written
a new SELinux policy and submitted it to the fedora selinux-policy-contrib
module:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/8
https://github.com/fedora-selinux/selinux-policy-contrib/pull/7
Once that is accepted, merged, and released into Fedora 26+, we will also need
to adjust a few things on the ejabberd side to be compliant.
For one, I wasn't able to get ejabberd working with policykit and SELinux
enforcing, so I may drop the policy kit patch. It would fail with this error
message:
ejabberdctl[22397]: Refusing to render service to dead parents.
Secondly, we no longer need to use /bin/bash to launch ejabberdctl in the unit
file, and we also cannot use PrivateDevices=true because that will prevent the
domain transition from being allowed.
Because we have to wait on the pull requests, I'm going to attach a git diff of
what I have in my checkout right now here. This git diff isn't quite what we'll
want, because it makes an ejabberd-selinux subpackage (which I used for testing
purposes while developing the policy), but it has some of the changes we'll
need.
--
You are receiving this mail because:
You are on the CC list for the bug.