From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.12) Gecko/20050929 Description of problem: We set up a postfix/mailman/dovecot/MailScanner/spamassassin/squirrelmail mail server. We had to make the following additions to local.te based on audit2allow < /var/log/audit/audit.log: #postfix allow postfix_local_t etc_t:file lock; allow postfix_master_t devpts_t:chr_file getattr; allow postfix_master_t devpts_t:dir search; allow postfix_master_t etc_t:file { lock write }; allow postfix_master_t mailman_data_t:dir { add_name remove_name search write }; allow postfix_master_t mailman_data_t:file { create getattr read rename write }; allow postfix_master_t policy_src_t:dir search; allow postfix_master_t user_home_dir_t:dir search; allow postfix_master_t var_lib_t:dir search; allow postfix_smtpd_t etc_t:file lock; allow postfix_local_t lib_t:file execute_no_trans; allow postfix_local_t mailman_data_t:dir { add_name remove_name write }; allow postfix_local_t mailman_data_t:file { create getattr rename write }; allow postfix_local_t mailman_log_t:dir search; allow postfix_local_t mailman_log_t:file { append getattr read }; allow postfix_local_t var_log_t:dir search; # httpd and squirrelmail/mailman allow httpd_t pop_port_t:tcp_socket name_connect; allow httpd_t user_home_t:file getattr; allow mailman_cgi_t urandom_device_t:chr_file read; allow mailman_cgi_t var_run_t:dir search; allow mailman_cgi_t nscd_var_run_t:dir search; # dovecot allow dovecot_t postfix_etc_t:dir { getattr search read }; allow dovecot_t postfix_etc_t:file { getattr read lock setattr }; Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.1-2.11 How reproducible: Always Steps to Reproduce: 1. Install a mail server with the above features 2. Experience frustration as selinux trips you up at every turn. 3. Resolve to be patient and work with selinux instead of turning it off. Actual Results: selinux tripped us up at every turn. Expected Results: All rpms should be selinux aware and make the appropriate policy modifications. Additional info:
Please include the auditlog as an attachment.
Created attachment 121778 [details] The audit log resulting in the allow statements This is (most likely) the file we used to create those allow statements via audit2allow. We did this a while back, however, when I ran audit2allow on this file, it produced all of those statements again ...
Closing since FC4 is no longer supported. Reopen if this is the case in FC5 or FC6