On 2/10/14, Michal Bruncko <michal.brun...@zssos.sk> wrote: > > * A custom smtpd instance listening on the loopback interface on port > > 10025 > as you can see from you policy posted at the end of your post - you can > simply allow postfix to bind to port 10025 using command: > setsebool -P allow_ypbind=on > (parameter -P makes this change permanent)
I chose not to do that because it is global, not specific to Postfix. Why would I open a door more widely when I can just add a policy for the specific process in question? (Not being sarcastic, I want to know) > > * Using Postfix virtual as the delivery agent to maildirs that are > > not under the normal local /var/spool/mail > > I copied the context of /var/spool/mail like this: chcon -R -u > > system_u -r object_r -t mail_spool_t /var/userdata/mail > > to make this change permarnet use following command: > > semanage fcontext -a -t mail_spool_t "/var/userdata/mail(/.*)?" > > and afterthat: restorecon -Rv /var/userdata/mail/ > (all wrongly labeled files should get correct context according semanage > rule above) Ah, this is what I was looking for. Thank you! > ..in order to use "semanage" tool you have to install > "policycoreutils-python" package. Already had it in order to use audit2allow, but this is a good tip, because it's not obvious at all (not even documented in the vendor SELinux how-to page).
