Thanks Laurent. You obviously know a LOT more about SELinux than I. I
pretty much just use commands and not build policies. So I need some
more information here.
From what you provided below, how do I determine what is currently in
place and how do I add your stuff (changing postgresql with mysql, nat.)
thanks
On 04/25/2017 10:26 AM, Laurent Wandrebeck wrote:
> Le mardi 25 avril 2017 à 10:04 +0200, Robert Moskowitz a écrit :
>> I thought I had this fixed, but I do not. I was away from this problem
>> working on other matters, and came back (after a reboot) and it is still
>> there, so I suspect when I thought I had it 'fixed' I was running with
>> setenforce 0 from another problem (that is fixed).
>>
>> So anyone know how to get dovecot dict connecting to mysql when
>> enforcing? Googling is not finding any real help.
> Hi,
>
> I’ve got some « tweaking » here (using postgresql, obviously) so that
> dovecot runs properly with SELinux enabled,
>
> HTH,
> Laurent.
>
> module mydovecot 1.0;
>
> require {
> type dovecot_auth_t;
> type postgresql_port_t;
> type dovecot_t;
> type var_t;
> type postfix_virtual_tmp_t;
> class tcp_socket name_connect;
> class file { rename read lock create write getattr link unlink
> open append };
> class dir { read write create add_name remove_name };
> }
>
> #============= dovecot_auth_t ==============
>
> #!!!! This avc is allowed in the current policy
> allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
>
> #============= dovecot_t ==============
>
> #!!!! This avc is allowed in the current policy
> allow dovecot_t postfix_virtual_tmp_t:file { rename write unlink open
> link };
> allow dovecot_t var_t:dir create;
>
> #!!!! This avc is allowed in the current policy
> allow dovecot_t var_t:dir { read write add_name remove_name };
>
> #!!!! This avc is allowed in the current policy
> allow dovecot_t var_t:file { rename read lock create write getattr link
> unlink open append };
>