On 28 Nov 2017, at 12:15, Colony.three wrote:
[...]
My God. It's full of stars!
This fixed the spamass-milter problem. And it seems to be the correct
way to fix the hundreds of other SELinux errors I have.
You take this box, and put it through a magic tunnel and see if it
looks right. If it does you put the box through another magic tunnel
where it becomes a robot. Then turn on the robot.
You don't need to know what the box really means nor what the magic
tunnel does. Even though it's retail (one-by-one), it does fix it
permanently.
You can find slightly more detailed (but still generic) explanations of
how to use audit2allow:
http://danwalsh.livejournal.com/24750.html
https://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow
The first is by the pre-eminent expert on SELinux. It also provides a
strong clue as to where to look for human help with SELinux for people
who are not paying RedHat. The surrounding documents for both the CentOS
link and the RedHat link explain more of the details of what's inside
the box and what the magic tunnels do.
But yes, mandatory access control systems are inherently extremely
complex and so you have a choice between mystified surrender, heavy
education, or opaque boxes and magic tunnels.
