postfix sendmail and GeoIP
Manuel Wolfshant
wolfy at nobugconsulting.ro
Wed Jan 16 15:31:39 UTC 2008
Stefan Schulze Frielinghaus wrote:
>
>> I ran audit2allow -M which produced the following policy:
>>
>> module postfixSendmail 1.0;
>>
>> require {
>> type system_mail_t;
>> type usr_t;
>> class file read;
>> }
>>
>> #============= system_mail_t ==============
>> allow system_mail_t usr_t:file read;
>>
>> I don't think allowing postfix.sendmail to read all files of type usr_t
>> is the right thing to do, yet, I do need to allow postfix.sendmail to
>> read the GeoIP data file.
>>
>> Any suggestions?
>>
>
> I think it's not a big problem allowing _read_ of usr_t files. If you
> really want to separate these files from others you could create a new
> type. But like I already mentioned usr_t files do not hold any
> confidential information (or at least they shouldn't). IMHO I would
> allow read access.
>
> -Stefan
>
> --
>
+ you could also add into equation the good old pre-selinux attributes
and allow postfix.sendmail to read only from the desired dir. either
setfacl or chmod o-rwx plus chgrp (or variants of this combination)
would help here.
More information about the fedora-selinux-list
mailing list