On 11/15/2013 07:22 AM, Timothy Murphy wrote:
Daniel J Walsh wrote:
> I thought I'd try to move from SELinux permissive mode following the
>>>> advice in this video and slides.
>> The response started with 11 AVC's, which all concerned the same file,
>> this being a sample:
>>
>> **** Invalid AVC allowed in current policy ***
>>
>> type=AVC msg=audit(1330438567.88:108452): avc: denied { getattr } for
>> pid=2567 comm="config" path="/etc/dovecot/dovecot.conf"
dev=sdb10
>> ino=3392618 scontext=unconfined_u:system_r:dovecot_t:s0
>> tcontext=system_u:object_r:usr_t:s0 tclass=file
>>
>> found 11 alerts in /var/log/audit/audit.log
>>
>> Then there was a much longer portion going over different files, giving
>> terse advice of what to do in many cases, but also vague advice of the
>> kind above in other cases.
>>
> Looks like you had a mislabeled file in /etc. Did it suggest restorecon
> as its #1 option?
>
> restorecon -R -v /etc/dovecot
Thanks for the response.
I didn't explain myself very well. The problem with dovecot.conf did not
cause any difficulty, I ran restorecon as was suggested. The difficulty
arose with cases where I had to choose a FILETYPE from dozens of choices.
Yes we are trying to clean this up in a new gui, and some changes in policy.
Hopefully we can at least start sorting the list by matching the namespace.
IE If the source is httpd_t Then the list should start with httpd_* items first.
We can also put some heuristics in such that if the type is var_log_t then
suggest httpd_log_t. But as always patches welcome... :^)