[GF-Users] tlsrpt-reporter and SELinux

Peter peter at pajamian.dhs.org
Fri Aug 29 17:53:29 MST 2025 

I went ahead and moved the packages to the main repo.  Let me know how 
they work, please.


Peter


On 27/08/25 15:42, Peter wrote:
> I pushed out some new tlsrpt-reporter packages to the gf-testing repo.
> Due to the scope of the changes I didn't want to push them out to the
> main repo until I know that the changes work and don't break anything.
> There are now three packages total:
> 
> tlsrpt-reporter - This is now a meta-package that doesn't actually
> install anything itself but contains tlsrpt-reporter-core and
> tlsrpt-reporter-selinux as dependancies.
> 
> tlsrpt-reporter-core - This now contains everything that tlsrpt-reporter
> used to contain, so if you want to install tlsrpt-reporter without the
> selinux policies you can just install this package.
> 
> tlsrpt-reporter-selinux - This will install the selinux policies to
> allow postfix to connect to the tlsrpt-reporter sockets.
> 
> To install or update to this new release:
> 
> dnf --enablerepo=gf-testing install tlsrpt-reporter
> 
> Please let me know if this fixes the selinux issues, or if not, can you
> share a copy of the new denials from audit.log?
> 
> 
> Peter
> 
> 
> On 24/08/25 15:25, Peter wrote:
>> I recall I was going to do something about the systemd issue but it fell
>> through the cracks.  The last thing I came up with which I believe is
>> the appropriate remedy is as follows:
>>
>>> Create a new selinux type: system_u:object_r:tlsrpt_var_run_t and set
>>> context for /var/run/tlsrpt to that type.
>>>
>>> Create a new policy allowing write and sendto for postfix_smtp_t to
>>> tlsrpt_var_run_t.
>>>
>>> That should allow postfix to access the socket properly without blowing
>>> out access to a bunch of other files as well.
>>
>> I'm thinking of actually doing this from a separate package
>> (tlsrpt-reporter-selinux-policies) and setting that as a "Recommends"
>> for the tlsrpt-reporter.  This way people are not forced to install the
>> selinux policies if they have another solution in mind.
>>
>>
>> Peter
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.net
> http://lists.ghettoforge.net/mailman/listinfo/users

More information about the users mailing list