daniel Hi, I try to setup Grommunio on a Rocky 9 Linux box with SELinux enabled and I'm facing the problem that php-fpm is not allowed to connect to /run/gromox/zcore.sock as gromox-http is running as unconfined_service_t. I tried already fixing the context of the socket file (to httpd_var_run_t) but SELinux takes account of the process context of gromox's http. Is there any guidance on how to set up Grommunio on RHEL/Rocky with SELinux enabled? Would it be interesting to incorporate in the gromox rpm some SELinux context information to stop the daemon processes being unconfined? bye Daniel
daniel Hi, I spent some time this afternoon and created a first SELinux policy for the gromox processes which is working now for my setup (web, imap and smtp delivery). It's not fully tested. Also I'm used to work with SELinux since years but this is the first application policy package I've built. I'm very excited about some feedback if someone has more experience in building such packages. I know some improvements that might make sense but I'm not aware if there any DON'Ts in it ;-). Also I'd like to ask Grommunio to use it as a base to build an optional package in the RHEL repo. Link: https://www.fiederling.net/gromox-selinux.tgz bye Daniel
crpb Hi Daniel, i would suggest creating an issue on Github. But maybe @jengelh 👋 will just pick it up from here.
jengelh /var/run is a symlink to /run. There will never be paths containing /var/run. So, does the /var/run line in gromox.fc actually match any files? (find / | grep /var/run/gromox == empty)
daniel jengelh This part has been auto-generated by sepolicy generate. And a look in semanage fcontext -l shows that many other rules (even distribution delivered) point to /var/run and there is an equivalence /var/run = /run. So I think, this is correct. Many thanks for picking up my suggestion here!
daniel Thanks for bringing this to the code base! Great! I'm still working on some minor improvements. What would be the best way to send you my updates? bye Daniel
mwilliams daniel Create a PR. Your (adapted) commit is here: https://github.com/grommunio/gromox/commit/b78ad7e23227471bd4bbbd430efe918bbed342fc