From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 262971F42D; Wed, 30 May 2018 20:25:04 +0000 (UTC) Date: Wed, 30 May 2018 20:25:03 +0000 From: Eric Wong To: Konstantin Ryabitsev Cc: meta@public-inbox.org Subject: Re: [PATCH] Contribute SELinux policy for EL7 Message-ID: <20180530202503.zwl52uvpnia4yl5w@untitled> References: <20180524190306.GA23233@work> <20180530031524.GA28636@dcvr> <20180530171318.GA13730@chatter> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20180530171318.GA13730@chatter> List-Id: Konstantin Ryabitsev wrote: > On Wed, May 30, 2018 at 03:15:24AM +0000, Eric Wong wrote: > > > - public-inbox-httpd and public-inbox-nntpd are running via systemd > > > on sane ports (119 and 80/8080) > > > - /var/lib/public-inbox is the location for mainrepos > > > - /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY > > > - /var/log/public-inbox is the location for logs > > > - mail delivery is done via postfix-pipe (if you're using > > > public-inbox-watch, you shouldn't need to worry about this) > > > > So nothing is needed for public-inbox-watch at all? > > I'd considered writing something for it, but decided to limit myself to > what I can actually cover via personal experience. In addition, my > assumption is that people who are most likely to be running > public-inbox-watch are not going to be running it as a system-level > daemon (since in that case they are more likely to set up > public-inbox-mda), but as a regular user inside screen -- and therefore > wouldn't benefit from SELinux anyway. Ah, ok. I was wondering why you thought that, and then I realized I forgot to include a public-inbox-watch.service example for systemd. Anyways I run -watch via systemd, but screen works, too. Will add an example -watch.service file in a separate patch. > > Is it possible to use "\" or similar to wrap long lines? > > > > (same comments applies to the .te file; I need to use a gigantic font) > > I know what you mean, but I'm trying to stick with the upstream policy > style, which doesn't use such approach (e.g. see > https://github.com/TresysTechnology/refpolicy/tree/master/policy/modules/system). > Theoretically, m4 supports doing that, but if the ultimate goal is to > include it into the upstream policy, then I feel we should stick to the > formatting style used there. Fair enough. There was a comment or two in the .te file which should've been wrapped, at least. > > > +# Run on http/httpcache and innd ports > > > > innd? > > Innd is the nntp daemon, and the 119/tcp port is labeled as innd_port_t, > so just sticking with that nomenclature here. Odd that they assume innd is the only 119 user, but they use "http" instead of "apache" for 80. Oh well, I suppose there could be a comment clarifying we mean NNTP to not confuse people into thinking we depend on innd. > I'll send a second patch iteration in the near future, as I've missed a > thing or two in the current one. Sure thing, thanks.