On 27 Nov 2017, at 22:45 (-0500), Colony.three wrote:
>> Is anyone using the unix:socket for spamaassassin's milter?
>> When I turned on SELinux, it will not let me change the group of the
>> spamass-milter socket. (/run/spamass-milter/postfix/sock)
>> /var/log/messages
>> spamass-milter: group option, chown: Operation not permitted
>> G**gle's baffled how to set SELinux to fix this.
>>
>> The policycoreutils-python package, in particular its audit2why and
>> audit2allow tools, are indispensable for diagnosing and solving SELinux
>> issues. A particular advantage they have over Google, Bing, or
>> StackOverflow is that they are designed specifically to diagnose and
>> solve SELinux problems and they work really fast...
audit2why -a gives just a haystack of problems, none of which reference
specific files, and all of which seem to be hysterics. I have so many things
to do that I can never learn SELinux coherently, and usually end up turning it
off. I've asked on IRC and can't get the hang of it, and I've searched for
appropriate commands to exhaustion. And I know there are thousands like me.
I am really trying to not turn off SELinux with this server, and only have this
one showstopper error. But I don't know what to do with this gibberish:
--------------------------------------------------------------------
type=AVC msg=audit(1511826731.712:227): avc: denied { dac_override } for
pid=1615 comm="spamass-milter" capability=1
scontext=system_u:system_r:spamass_milter_t:s0
tcontext=system_u:system_r:spamass_milter_t:s0 tclass=capability permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
--------------------------------------------------------------------
Ch-yea, sure, I'll get right on that...
