New to this list, and new to SELinux.
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 21 20:42:05 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/21/2013 01:26 PM, Jean-David Beyer wrote:
> On 01/21/2013 11:31 AM, Daniel J Walsh wrote:
>> On 01/19/2013 07:34 AM, Jean-David Beyer wrote:
>>> On 01/18/2013 10:30 AM, Jean-David Beyer wrote:
>>>> On 01/18/2013 09:24 AM, Miroslav Grepl wrote:
>
>>> [snip]
>>>>> Hi, I believe we should collect all AVC msgs. Could you execute
>>>>>
>>>>> # semanage permissive -a system_mail_t
>
>>> Should I turn this off again? I.e., set it to 'enforcing'?
>> Yes once you are done collecting the AVC's and are happy that it is
>> working properly.
>
>> semanage permissive -d system_mail_t
>
> OK. I did that.
>
> These wemanage things take a long time. I have a 4-core 1.8 GHz Xeon
> processor. They tend to hog an entire core for around (but less than) a
> minute. What is it doing with all that time? The they have to hit a
> database for each program and file in the system or something?
>
>> We do not currently allow log files mailed off the system by the system
>> mailer. I guess we could add a boolean for this. but I do not believe we
>> should allow this by default.
>
> Was this in response to something I said? Because, if so, I forgot what I
> may have said that prompted this.
>
> In the future, I will be wanting to use shell scripts to send e-mails from
> one computer to another on my l.a.n. Right now, I cannot do it because I am
> running the default firewall that comes with RHEL 6 and CentOS 5. I
> certainly can SSH files between the machines with no trouble, since the
> default firewall allows that. And apparently so does SELinux. I know I can
> e-mail stuff off my machine using Thunderbird, and I do not suppose
> anything stops me from attaching a log file, though I never tried that. --
> selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Well the AVC you were showing was emailing a cron log file. Which SELinux
blocks and you overrode with a policy module which is fine. My point was we
Fedora/RHEL do not to allow this by default and allow customers/users to
override the defaults.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD9qB0ACgkQrlYvE4MpobOdOQCdGOdLybTfMcSKlCi3It+UU8xy
IlYAn3zcAojOoRDa29iH9Kw8qb892Hi5
=1XEu
-----END PGP SIGNATURE-----
More information about the selinux
mailing list