On Wed, 2008-03-05 at 15:16 +0000, Arthur Dent wrote:
Hello Chaps,
I'm running SELinux in permissive mode on F8. I was thinking of switching to
enforcing mode and took a peek inside /var/log/messages to see what denials
SELinux is currently reporting. I was *horrified* - there must be thousands
there! Doing "cat /var/log/audit/audit.log" is even worse - it takes about a
minute to
scroll through!
They mainly relate to procmail, clamd and samba but I get many reports of
incorrectly labelled files (file_t).
I want to tackle these one step at a time and I think the first place to start
is with the incorrectly labelled files.
I have tried the "touch ./autorelabel; reboot" trick (several times!) but I
still get the same errors.
As a mater of interest, I have a procmail recipe which writes a copy of every
mail I receive to a backup area on my /dev/sda8 partition, mounted as
/mnt/backup/ by fstab. (It is an ext3 partition).
I have tried doing:
"restorecon -v -R /mnt/backup"
and even:
"fixfiles relabel"
on this partition, but I gather this will not work. I think that I must
somehow define a policy for this (and probably other) partition(s), but I am
unclear as to how to go about this.
You might try something like this, assuming that you only store mail
files under /mnt/backup and only procmail requires access:
semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
restorecon -v -R /mnt/backup
If you need other things to be able to access it, then we'll have to
know more to decide how to label it, or you could possibly move it to a
subdir of /mnt/backup like /mnt/backup/spool that can be devoted to
procmail's use.
I am reasonably familiar with Linux generally, but am a complete
SELinux
virgin (and frankly scared silly of it). I normally turn off SELinux as my
first action after installing a distro, but I think it's about time I got to
grips with its security benefits.
I would be very grateful therefore if someone could hold my hand through this
learning process!
I have to run this particular box headless and access via ssh so I have to do
everything with command-line tools.
Thanks in advance...
Mark
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list --
Stephen Smalley
National Security Agency