[GF-Users] FW: tlsrpt-reporter and SELinux

Michael Webb michael.webb at integrilog.com
Sat Sep 27 06:45:08 MST 2025 

Luca

FYI - there were instructions posted on 27 Aug. I think the "testing" option window closed on 29 Aug.

Mike

-----Original Message-----
From: users-bounces at lists.ghettoforge.net <users-bounces at lists.ghettoforge.net> On Behalf Of Peter
Sent: Friday, August 29, 2025 6:53 PM
To: users at lists.ghettoforge.net
Subject: Re: [GF-Users] tlsrpt-reporter and SELinux

I went ahead and moved the packages to the main repo.  Let me know how they work, please.


Peter


On 27/08/25 15:42, Peter wrote:
> I pushed out some new tlsrpt-reporter packages to the gf-testing repo.
> Due to the scope of the changes I didn't want to push them out to the
> main repo until I know that the changes work and don't break anything.
> There are now three packages total:
> 
> tlsrpt-reporter - This is now a meta-package that doesn't actually
> install anything itself but contains tlsrpt-reporter-core and
> tlsrpt-reporter-selinux as dependancies.
> 
> tlsrpt-reporter-core - This now contains everything that tlsrpt-reporter
> used to contain, so if you want to install tlsrpt-reporter without the
> selinux policies you can just install this package.
> 
> tlsrpt-reporter-selinux - This will install the selinux policies to
> allow postfix to connect to the tlsrpt-reporter sockets.
> 
> To install or update to this new release:
> 
> dnf --enablerepo=gf-testing install tlsrpt-reporter
> 
> Please let me know if this fixes the selinux issues, or if not, can you
> share a copy of the new denials from audit.log?
> 
> 
> Peter
> 
> 
> On 24/08/25 15:25, Peter wrote:
>> I recall I was going to do something about the systemd issue but it fell
>> through the cracks.  The last thing I came up with which I believe is
>> the appropriate remedy is as follows:
>>
>>> Create a new selinux type: system_u:object_r:tlsrpt_var_run_t and set
>>> context for /var/run/tlsrpt to that type.
>>>
>>> Create a new policy allowing write and sendto for postfix_smtp_t to
>>> tlsrpt_var_run_t.
>>>
>>> That should allow postfix to access the socket properly without blowing
>>> out access to a bunch of other files as well.
>>
>> I'm thinking of actually doing this from a separate package
>> (tlsrpt-reporter-selinux-policies) and setting that as a "Recommends"
>> for the tlsrpt-reporter.  This way people are not forced to install the
>> selinux policies if they have another solution in mind.
>>
>>
>> Peter
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.net
> http://lists.ghettoforge.net/mailman/listinfo/users

_______________________________________________
users mailing list
users at lists.ghettoforge.net
http://lists.ghettoforge.net/mailman/listinfo/users

More information about the users mailing list