Some more (probably) Zarafa-related
Matej Cepl
mcepl at redhat.com
Sat Aug 11 10:58:05 UTC 2012
Hi,
I have found that I have my server (running RHEL 6 with plenty of EPEL
stuff, most interesting here is probably Zarafa) is still in the
permissive mode. Before switching to enforcing again I run ausearch -m
AVC -ts this-week and got the attached list of AVC denials. I am not
sure what about these, but before I blindly file bugs into bugzilla (or
blindly switch on various booleans), I thought to ask about advice here.
[root at luther selinux-research]# audit2allow <avc-this-week.txt \
|grep -v '^#'|grep -v '^\s*$'
allow httpd_t postfix_public_t:dir search;
allow httpd_t postfix_public_t:fifo_file { write getattr open };
allow httpd_t postfix_spool_maildrop_t:dir { write remove_name search
add_name };
allow httpd_t postfix_spool_maildrop_t:file { rename write getattr
setattr read create open };
allow httpd_t postfix_spool_t:dir search;
# is httpd_can_sendmail --> off really to blame? Or there is some weird
# interaction between Zarafa webmail and postfix?
allow httpd_t self:process setrlimit;
# this just happened once, and I don't feel well about switching the
httpd_setrlimit boolean on without knowing why it is required.
My booleans related to http:
[root at luther selinux-research]# getsebool -a|grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
[root at luther selinux-research]#
Thanks for any advice,
Matěj
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: avc-this-week.txt
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120811/3dc958a3/attachment.txt>
More information about the selinux
mailing list