Re: pyzor and SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Craig White wrote:
On Sat, 2006-03-18 at 22:45 -0800, Antony Nguyen wrote:

Hi Craig,

On Sat, 18 Mar 2006, Craig White wrote:


Can anyone give me a hint as to how to add an selinux policy for pyzor or
enable its ability to resolve names?


----
try this...

yum install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy
audit2allow -d >> domains/local.te
make reload

I won't explain and I'm just guessing that will work for you.

Thanks, that seems to have done the trick. I'm running auditd so I actually used:

audit2allow -i /var/log/audit/audit.lg >> domains/misc/local.te

This begs the question though: should this be part of the spamassassin/pyzor policy shipped with Fedora? I pretty much used
the standard FC4 installation of spamassassin (spamd) and pyzor
(not pyzord) with the only configuration on my part was running
'pyzor discover' as root to download the pyzor server list.
Should I submit this as a 'bug' or RFE to the SELinux guru, or is
this local policy considered to be a regular sysadmin task that
we'll just have to deal with?


----
I honestly don't know...Paul will probably check in before too
long...he's very sharp on selinux and might be able to give you a better
answer than I can.

I'd be interesting to see what's actually in /etc/selinux/targeted/src/policy/domains/local.te

The right thing to do is to figure out if what pyzor is trying to do *should* be allowed, and:

(*) if it should, raise a bug on selinux-policy-targeted
(*) if it shouldn't, raise a bug on pyzor

I think there have been a lot of issues with SELinux and SpamAssassin in FC4, possibly because SA has lots of optional features (some of which require perl modules from Extras) and it can be used in many different ways (e.g. using spamd, straight from procmail, in a sendmail milter etc.). Enumerating all of the things it *should* be allowed to do is not an easy task, but the more people that raise bugs on it when they discover them, the better the default policy will be.

Incidentally, policy tweaking in FC5 will be completely different; the sources are not provided (apart from SRPMs, as per the kernel), and SELinux policy modules are available instead.

http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow

Paul.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux