postfix, procmail and SELinux - No Go

Marc Schwartz (via MN) mschwartz at mn.rr.com
Tue Jun 27 16:48:04 UTC 2006 

On Tue, 2006-06-27 at 17:20 +0100, Paul Howarth wrote:
> Marc Schwartz wrote:
> > On Tue, 2006-06-27 at 00:05 +0100, Paul Howarth wrote:
> >> I share Nicolas' feelings about having hidden directories in /etc; this
> >> could be mitigated perhaps by having something like the ".pyzor"
> >> directory being replaced by a symlink to a "pyzor" directory.
> > 
> > No disagreement with either of you here.
> > 
> > The key here I believe is that we demonstrated a proof of concept, in
> > that we can control the locations where these files get written and do
> > so in a system-wide fashion. Even if this ends up being unique to FC/FE
> > based installations due to SELinux requirements.
> > 
> > I have no vested interest in the specific locations and only used the
> > examples from the SA wiki as the basis for the initial attempt.
> > 
> > We can certainly come to some appropriate consensus as to where we want
> > them, whether higher in /etc or perhaps in /var.
> > 
> > If you guys provide some feedback, I can make the requisite changes.
> 
> I think the main issue isn't really whether the directories live under 
> /var, /etc etc., but that they are "hidden" directories with names 
> starting with a dot. Can the tools be persuaded to use other, more 
> visible directory names?

Paul,

Just a quick reply here for clarification.

First, I'm an idiot. I took the term hidden to mean "buried", as opposed
to a file or folder that requires the use of 'ls -a' to be seen.

So, with that clarification, I think that the only change required here
would be to make /etc/spamassassin/.razor be /etc/spamassassin/razor.

pyzor is just in /etc/spamassassin, where it uses the 'servers' file and
dcc is otherwise unaffected.

If you wanted, I could move the pyzor 'servers' file (and edit the
requisite local.conf file) to use /etc/spamassassin/pyzor/servers
instead.

Thus, changing:

/etc/mail/spamassassin/local.cf
/etc/mail/spamassassin/.razor/razor-agent.conf

and the crontab entries to use razor instead of .razor should be all
that is required here. Same for pyzor if we move the servers file.

Do those changes affect any of the policies that we have in process,
before I move forward?

Thanks,

Marc

More information about the fedora-selinux-list mailing list