Question about split betweeen delivered and local policy

[Daniel J Walsh]

On 07/09/2009 03:51 PM, Daniel Fazekas wrote:
> On Jul 9, 2009, at 21:36, David Highley wrote:
> 
>> For example, email seems to always need selinux policy changes so that
>> avc's are not blocking spamassassin and pyzor.
> 
> SpamAssassin and Pyzor should be working fine without any further
> tweaking since some Fedora releases ago. Some time around Fedora 8 or 9.
> 
> Are you using the spamassassin service (spamd)?
> Are the relevant spamassassin selinux bools enabled?
> 
> # getsebool -a | grep spam
> spamassassin_can_network --> on
> spamd_enable_home_dirs --> on
> 
> If they still don't work properly this way, you should check if the
> contexts went wrong with some files in the home directories.
> restorecon -Rv /root /home
> 
> I think if you aren't doing anything unusual yet basic packages break,
> the recommended course of action is to file a Bugzilla report rather
> than try and patch it with your custom local policy.
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well as we move forward we are putting more and more labels in the homedir. So just maintaining the labels on the Homedir, from Previous to new is not going to work.  

If we ever want to get confined user applications to work in the homedir, we got to get a mechanism to set these labels at creation time.  In Rawhide right now, I have a restorecond running in user space watching for creation of files in the homedir to make sure they are labeled correct.  So if a user just executes mkdir .ssh or mkdir public_html it gets labeled correctly without the user having to be an SELinux expert.  Similarly tools like firefox/nsplugin and other tools rely on the homedir being correctly labeled to add confinement.