[GF-Users] GF10 is now released!

Peter peter at pajamian.dhs.org
Sat Aug 23 20:25:00 MST 2025 

Systemd service files are not considered config files.  If you want to 
make changes to service files that will survive a package update then 
you should use the systemctl edit command which will create a new 
supplementary file which will create a new file that will add / override 
the directives in the service file.

I have, however, marked the following files as config files:
/etc/tlsrpt/collectd.cfg
/etc/tlsrpt/fetcher.cfg
/etc/tlsrpt/reportd.cfg
/usr/lib/sysusers.d/tlsrpt.conf
/usr/lib/tmpfiles.d/tlsrpt.conf

I'm not going to push this out right away but it is in my working copy 
of the spec file for the next update.

I recall I was going to do something about the systemd issue but it fell 
through the cracks.  The last thing I came up with which I believe is 
the appropriate remedy is as follows:

> Create a new selinux type: system_u:object_r:tlsrpt_var_run_t and set 
> context for /var/run/tlsrpt to that type.
> 
> Create a new policy allowing write and sendto for postfix_smtp_t to 
> tlsrpt_var_run_t.
> 
> That should allow postfix to access the socket properly without blowing 
> out access to a bunch of other files as well.

I'm thinking of actually doing this from a separate package 
(tlsrpt-reporter-selinux-policies) and setting that as a "Recommends" 
for the tlsrpt-reporter.  This way people are not forced to install the 
selinux policies if they have another solution in mind.


Peter


On 24/08/25 13:49, Michael Webb wrote:
> Peter. Thank you.
> 
> Postfix-tlspol 1.8.13
> -------------------------------------
> is working on EL9 and EL10. Awesome
> 
> tlsrpt-reporter
> -------------------
> If possible please could you change the following in the tlsrpt-reporter
> 
> The following files need "%config(noreplace)" (marked as rpmnew because config files like postfix will be site specific)
> /usr/lib/systemd/system/tlsrpt-collectd.service
> /usr/lib/systemd/system/tlsrpt-reportd.service
> /etc/tlsrpt/*.*
> If the system finds postfix installed, may need an echo/printf at the end of the install or readme to
> Indicate that selinux policy like  "semanage permissive -a postfix_smtp_t" will be needed.
> 
> Personally I install tlsrpt-reporter on the on an external server instead of directly on my postfix servers and use socat to map each postfix server to the tlsrpt-collectd.socket on the external server.. This consolidates TLS reports from multiple postfix servers in a single database. I found that   some companies like Microsoft only allow one TLS report per day from each sender domain. On my postfix servers I still need "semanage permissive -a postfix_smtp_t" to connect to the socat socket, but it is always on the postfix machine rather than on the tlsrpt-reporter machine.
> 
> Mike
> 
> -----Original Message-----
> From: users-bounces at lists.ghettoforge.net <users-bounces at lists.ghettoforge.net> On Behalf Of Peter
> Sent: Friday, August 22, 2025 3:31 AM
> To: users at lists.ghettoforge.net
> Subject: Re: [GF-Users] GF10 is now released!
> 
> Should all be done now.
> 
> 
> Peter
> 
> 
> On 22/08/25 19:20, Peter wrote:
>> On 21/08/25 02:53, Michael Webb wrote:
>>> Thanks Peter
>>>
>>> Am in the process of migrating to EL10 and have noticed some other minor issues. Know you have been really busy so please address when convenient.
>>>
>>> tlsrpt-reporter
>>> ---------------------
>>> when installing tlsrpt-reporter package output from the install:
>>> /usr/lib/sysusers.d/tlsrpt.conf:1: Unknown modifier 'u!'.
>>> /usr/lib/tmpfiles.d/tlsrpt.conf:1: Failed to resolve user 'tlsrpt':
>>> No such process
>>>
>>> 1. the "u!" needs to be replaced with "u" in
>>> /usr/lib/sysusers.d/tlsrpt.conf 2. tlsrpt group seems to be there
>>> already so only need to add "useradd -g tlsrpt tlsrpt" as part of the
>>> spec sequence
>>
>> These should already be fixed in the release I uploaded for EL10,
>> although I haven't pushed the fixes to EL8 and 9 yet, thanks for
>> reminding me.
>>
>>> Postfix-tlspol
>>> ------------------
>>> Git Package was recently updated from 1.8.12 to 1.8.13. Can either
>>> use my tar.gz from
>>> https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol or use
>>> wget wget
>>> https://github.com/Zuplu/postfix-tlspol/archive/refs/tags/v1.8.13.tar
>>> .gz -O /root/rpmbuild/SOURCES/postfix-tlspol-1.8.13.tar.gz
>>> I made an attempt to update your latest spec file (version, release and changelog only) and successfully built for EL10. I noticed in changelogs that you removed version from the spec filename but the previous links you provided for the spec examples hide the real filename so could not see how you do that.
>>
>> This is next on my list.
>>
>>
>> Peter
>>
>> _______________________________________________
>> users mailing list
>> users at lists.ghettoforge.net
>> http://lists.ghettoforge.net/mailman/listinfo/users
> 
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.net
> http://lists.ghettoforge.net/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.net
> http://lists.ghettoforge.net/mailman/listinfo/users

More information about the users mailing list