-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/11/2012 06:58 AM, Matej Cepl wrote:
Hi,
I have found that I have my server (running RHEL 6 with plenty of EPEL
stuff, most interesting here is probably Zarafa) is still in the permissive
mode. Before switching to enforcing again I run ausearch -m AVC -ts
this-week and got the attached list of AVC denials. I am not sure what
about these, but before I blindly file bugs into bugzilla (or blindly
switch on various booleans), I thought to ask about advice here.
[root@luther selinux-research]# audit2allow <avc-this-week.txt \ |grep -v
'^#'|grep -v '^\s*$' allow httpd_t postfix_public_t:dir search; allow
httpd_t postfix_public_t:fifo_file { write getattr open }; allow httpd_t
postfix_spool_maildrop_t:dir { write remove_name search add_name }; allow
httpd_t postfix_spool_maildrop_t:file { rename write getattr setattr read
create open }; allow httpd_t postfix_spool_t:dir search; # is
httpd_can_sendmail --> off really to blame? Or there is some weird #
I do not
know, but I would figure these should require httpd_can_sendmail, but
not sure if boolean would provide all of these.
interaction between Zarafa webmail and postfix?
allow httpd_t self:process setrlimit; # this just happened once, and I
don't feel well about switching the httpd_setrlimit boolean on without
knowing why it is required.
My booleans related to http:
[root@luther selinux-research]# getsebool -a|grep http
allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on httpd_can_check_spam --> off
httpd_can_network_connect --> off httpd_can_network_connect_cobbler -->
off httpd_can_network_connect_db --> off httpd_can_network_memcache -->
off httpd_can_network_relay --> off httpd_can_sendmail --> off
httpd_dbus_avahi --> on httpd_enable_cgi --> on httpd_enable_ftp_server -->
off httpd_enable_homedirs --> off httpd_execmem --> off httpd_manage_ipa
--> off httpd_read_user_content --> off httpd_setrlimit --> off
httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on
httpd_unified --> on httpd_use_cifs --> off httpd_use_gpg --> off
httpd_use_nfs --> off httpd_use_openstack --> off [root@luther
selinux-research]#
Thanks for any advice,
Matěj
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAlApD9EACgkQrlYvE4MpobNyrwCfbXYtp1pJB78ly//DfuwsK9Ye
7TAAn3YbnEolurqoVr+AhfdkxC7fOfPL
=ecVy
-----END PGP SIGNATURE-----