web/html/docs/selinux-managing-confined-services-guide/en-US/F11/html-single index.html, NONE, 1.1
sradvan
sradvan at fedoraproject.org
Thu Aug 13 23:57:30 UTC 2009
- Previous message (by thread): web/html/docs/selinux-managing-confined-services-guide/en-US/F11/html-single/Common_Content/css common.css, NONE, 1.1 default.css, NONE, 1.1 overrides.css, NONE, 1.1
- Next message (by thread): web/html/docs/selinux-managing-confined-services-guide/en-US/F11/html/images icon.svg, NONE, 1.1 shares_listing.png, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: sradvan
Update of /cvs/fedora/web/html/docs/selinux-managing-confined-services-guide/en-US/F11/html-single
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20086/selinux-managing-confined-services-guide/en-US/F11/html-single
Added Files:
index.html
Log Message:
add services guide
--- NEW FILE index.html ---
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Managing Confined Services</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican" /><meta name="package" content="" /><meta name="description" content="The Managing Confined Services guide is designed to assist advanced users and administrators when using and configuring SELinux. It is focused on Fedora Linux and describes the components of SELinux as they pertain to services an advanced user or administrator might need to configure. Also included are real-world examples of configuring these services and demonstrations of how SELinux complements their operation." /></head><body class=""><div class="book" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">SELinux</span> <span class="productnumber">3.6.12</span></div><div><
h1 id="id2983210" class="title">Managing Confined Services</h1></div><p class="edition">Edition 1.0</p><div><h3 class="corpauthor">
<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> Logo</object></span>
</h3></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Scott</span> <span class="surname">Radvan</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Content Services</span></div><code class="email"><a class="email" href="mailto:sradvan at redhat.com">sradvan at redhat.com</a></code></div></div></div><div><p class="copyright">Copyright © 2009 Red Hat, Inc.</p></div><hr /><div><div id="id3088537" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
Copyright <span class="trademark"></span>© 2009 Red Hat, Inc. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0, (the latest version is presently available at <a href="http://www.opencontent.org/openpub/">http://www.opencontent.org/openpub/</a>).
</div><div class="para">
Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of Red Hat, Inc., in the U.S. and other countries.
</div><div class="para">
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat Inc. in the United States and other countries.
</div><div class="para">
All other trademarks and copyrights referred to are the property of their respective owners.
</div><div class="para">
Documentation, as with software itself, may be subject to export control. Read about Fedora Project export controls at <a href="http://fedoraproject.org/wiki/Legal/Export">http://fedoraproject.org/wiki/Legal/Export</a>.
</div></div></div><div><div class="abstract"><h6>Abstract</h6><div class="para">The Managing Confined Services guide is designed to assist advanced
users and administrators when using and configuring SELinux. It is
focused on Fedora Linux and describes the components of SELinux as
they pertain to services an advanced user or administrator might
need to configure. Also included are real-world examples of
configuring these services and demonstrations of how SELinux
complements their operation.</div></div></div></div><hr /></div><div class="toc"><dl><dt><span class="preface"><a href="#pref-Managing_Confined_Services-Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#id3062531">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="#id3048790">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="#id3084879">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="#id3043299">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="#id3046533">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-Trademark_Information">1. Trademark Information</a></span></dt><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-Introduction">2. Introduction</a></span></dt><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-Targeted_policy">3. T
argeted policy</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Targeted_policy-Type_Enforcement">3.1. Type Enforcement</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Targeted_policy-Confined_processes">3.2. Confined processes</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Targeted_policy-Unconfined_processes">3.3. Unconfined processes</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-The_Apache_HTTP_Server">4. The Apache HTTP Server</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-The_Apache_HTTP_Server-The_Apache_HTTP_Server_and_SELinux">4.1. The Apache HTTP Server and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-The_Apache_HTTP_Server-Types">4.2. Types</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Servic
es-The_Apache_HTTP_Server-Booleans">4.3. Booleans</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-The_Apache_HTTP_Server-Configuration_examples">4.4. Configuration examples</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Configuration_examples-Running_a_static_site">4.4.1. Running a static site</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Configuration_examples-Sharing_NFS_and_CIFS_file_systems">4.4.2. Sharing NFS and CIFS file systems</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Configuration_examples-Sharing_files_between_services">4.4.3. Sharing files between services</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Configuration_examples-Changing_port_numbers">4.4.4. Changing port numbers</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Servi
ces-Samba">5. Samba</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Samba-Samba_and_SELinux">5.1. Samba and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Samba-Types">5.2. Types</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Samba-Booleans">5.3. Booleans</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Samba-Configuration_examples">5.4. Configuration examples</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Configuration_examples-Sharing_directories_you_create">5.4.1. Sharing directories you create</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Configuration_examples-Sharing_a_website">5.4.2. Sharing a website</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-File_Transfer_Protocol">6. File
Transfer Protocol</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-File_Transfer_Protocol-FTP_and_SELinux">6.1. FTP and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-File_Transfer_Protocol-Types">6.2. Types</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-File_Transfer_Protocol-Booleans">6.3. Booleans</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-File_Transfer_Protocol-Configuration_Examples">6.4. Configuration Examples</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Configuration_Examples-Uploading_to_an_FTP_site">6.4.1. Uploading to an FTP site</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-Network_File_System">7. Network File System</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Servic
es-NFS-NFS_and_SELinux">7.1. NFS and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-NFS-Types">7.2. Types</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_services-NFS-Booleans">7.3. Booleans</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-NFS-Configuration_Examples">7.4. Configuration Examples</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Configuration_Examples-Sharing_directories_using_NFS">7.4.1. Sharing directories using NFS</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-Berkeley_Internet_Name_Domain">8. Berkeley Internet Name Domain</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-BIND-BIND_and_SELinux">8.1. BIND and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-BIND-Types">8.2. Type
s</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-BIND-Booleans">8.3. Booleans</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-BIND-Configuration_Examples">8.4. Configuration Examples</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-BIND-Configuration_Examples-Dynamic_DNS">8.4.1. Dynamic DNS</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-Concurrent_Versioning_System">9. Concurrent Versioning System</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Concurrent_Versioning_System-CVS_and_SELinux">9.1. CVS and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Concurrent_Versioning_System-Types">9.2. Types</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Concurrent_Versioning_System-Booleans">9.3. Bool
eans</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Concurrent_Versioning_System-Configuration_Examples">9.4. Configuration Examples</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Concurrent_Versioning_System-Configuration_Examples-Setting_Up_CVS">9.4.1. Setting up CVS</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Concurrent_Versioning_System-Configuration_Examples-Setting_Up_CVS-Server-Setup">9.4.2. Server setup</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-Squid_Caching_Proxy">10. Squid Caching Proxy</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Squid_Caching_Proxy-Squid_Caching_Proxy_and_SELinux">10.1. Squid Caching Proxy and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Squid_Caching_Proxy-Types">10.2. Types</a>
</span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Squid_Caching_Proxy-Booleans">10.3. Booleans</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Squid_Caching_Proxy-Configuration_Examples">10.4. Configuration Examples</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Squid_Caching_Proxy-Configuration_Examples-Squid_Connecting_To_Non_Standard_Ports">10.4.1. Squid Connecting to Non-Standard Ports</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-MySQL">11. MySQL</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-MySQL-MySQL_and_SELinux">11.1. MySQL and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-MySQL-Types">11.2. Types</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-MySQL-Booleans">11.3. Booleans</a></
span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-MySQL-Configuration_Examples">11.4. Configuration Examples</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-MySQL-Configuration_Examples-Changing_Database_Location">11.4.1. MySQL Changing Database Location</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-PostgreSQL">12. PostgreSQL</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-PostgreSQL-PostgreSQL_and_SELinux">12.1. PostgreSQL and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-PostgreSQL-Types">12.2. Types</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-PostgreSQL-Booleans">12.3. Booleans</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-PostgreSQL-Configuration_Examples">12.4. Configuration Examples
</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-PostgreSQL-Configuration_Examples-Changing_Database_Location">12.4.1. PostgreSQL Changing Database Location</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-rsync">13. rsync</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-rsync-rsync_and_SELinux">13.1. rsync and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-rsync-Types">13.2. Types</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-rsync-Booleans">13.3. Booleans</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-rsync-Configuration_Examples">13.4. Configuration Examples</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-rsync-Configuration_Examples-Rsync_as_a_daemon">13.4.1. Rsync as a daemon<
/a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-Postfix">14. Postfix</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-rsync-Postfix_and_SELinux">14.1. Postfix and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Postfix-Types">14.2. Types</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Postfix-Booleans">14.3. Booleans</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Postfix-Configuration_Examples">14.4. Configuration Examples</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Postfix-Configuration_Examples-SpamAssassin_and_Postfix">14.4.1. SpamAssassin and Postfix</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Managing_Confined_Services-References">15. References</a></span></dt></dl></div><div class="pr
eface" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h1 id="pref-Managing_Confined_Services-Preface" class="title">Preface</h1></div></div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="id3062531">1. Document Conventions</h2></div></div></div><div class="para">
This manual uses several conventions to highlight certain words and phrases and draw attention to specific pieces of information.
</div><div class="para">
In PDF and paper editions, this manual uses typefaces drawn from the <a href="https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set. The Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes the Liberation Fonts set by default.
</div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="id3048790">1.1. Typographic Conventions</h3></div></div></div><div class="para">
Four typographic conventions are used to call attention to specific words and phrases. These conventions, and the circumstances they apply to, are as follows.
</div><div class="para">
<code class="literal">Mono-spaced Bold</code>
</div><div class="para">
Used to highlight system input, including shell commands, file names and paths. Also used to highlight key caps and key-combinations. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
To see the contents of the file <code class="filename">my_next_bestselling_novel</code> in your current working directory, enter the <code class="command">cat my_next_bestselling_novel</code> command at the shell prompt and press <span class="keycap"><strong>Enter</strong></span> to execute the command.
</div></blockquote></div><div class="para">
The above includes a file name, a shell command and a key cap, all presented in Mono-spaced Bold and all distinguishable thanks to context.
</div><div class="para">
Key-combinations can be distinguished from key caps by the hyphen connecting each part of a key-combination. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
Press <span class="keycap"><strong>Enter</strong></span> to execute the command.
</div><div class="para">
Press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>F1</strong></span> to switch to the first virtual terminal. Press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>F7</strong></span> to return to your X-Windows session.
</div></blockquote></div><div class="para">
The first sentence highlights the particular key cap to press. The second highlights two sets of three key caps, each set pressed simultaneously.
</div><div class="para">
If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in <code class="literal">Mono-spaced Bold</code>. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
File-related classes include <code class="classname">filesystem</code> for file systems, <code class="classname">file</code> for files, and <code class="classname">dir</code> for directories. Each class has its own associated set of permissions.
</div></blockquote></div><div class="para">
<span class="application"><strong>Proportional Bold</strong></span>
</div><div class="para">
This denotes words or phrases encountered on a system, including application names; dialogue box text; labelled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
Choose <span class="guimenu"><strong>System > Preferences > Mouse</strong></span> from the main menu bar to launch <span class="application"><strong>Mouse Preferences</strong></span>. In the <span class="guilabel"><strong>Buttons</strong></span> tab, click the <span class="guilabel"><strong>Left-handed mouse</strong></span> check box and click <span class="guibutton"><strong>Close</strong></span> to switch the primary mouse button from the left to the right (making the mouse suitable for use in the left hand).
</div><div class="para">
To insert a special character into a <span class="application"><strong>gedit</strong></span> file, choose <span class="guimenu"><strong>Applications > Accessories > Character Map</strong></span> from the main menu bar. Next, choose <span class="guimenu"><strong>Search > Find…</strong></span> from the <span class="application"><strong>Character Map</strong></span> menu bar, type the name of the character in the <span class="guilabel"><strong>Search</strong></span> field and click <span class="guibutton"><strong>Next</strong></span>. The character you sought will be highlighted in the <span class="guilabel"><strong>Character Table</strong></span>. Double-click this highlighted character to place it in the <span class="guilabel"><strong>Text to copy</strong></span> field and then click the <span class="guibutton"><strong>Copy</strong></span> button. Now switch back to your document and choose <span class="guimenu"><strong>Edit > Paste</strong></span> from the <
span class="application"><strong>gedit</strong></span> menu bar.
</div></blockquote></div><div class="para">
The above text includes application names; system-wide menu names and items; application-specific menu names; and buttons and text found within a GUI interface, all presented in Proportional Bold and all distinguishable by context.
</div><div class="para">
Note the <span class="guimenu"><strong>></strong></span> shorthand used to indicate traversal through a menu and its sub-menus. This is to avoid the difficult-to-follow 'Select <span class="guimenuitem"><strong>Mouse</strong></span> from the <span class="guimenu"><strong>Preferences</strong></span> sub-menu in the <span class="guimenu"><strong>System</strong></span> menu of the main menu bar' approach.
</div><div class="para">
<code class="command"><em class="replaceable"><code>Mono-spaced Bold Italic</code></em></code> or <span class="application"><strong><em class="replaceable"><code>Proportional Bold Italic</code></em></strong></span>
</div><div class="para">
Whether Mono-spaced Bold or Proportional Bold, the addition of Italics indicates replaceable or variable text. Italics denotes text you do not input literally or displayed text that changes depending on circumstance. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
To connect to a remote machine using ssh, type <code class="command">ssh <em class="replaceable"><code>username</code></em>@<em class="replaceable"><code>domain.name</code></em></code> at a shell prompt. If the remote machine is <code class="filename">example.com</code> and your username on that machine is john, type <code class="command">ssh john at example.com</code>.
</div><div class="para">
The <code class="command">mount -o remount <em class="replaceable"><code>file-system</code></em></code> command remounts the named file system. For example, to remount the <code class="filename">/home</code> file system, the command is <code class="command">mount -o remount /home</code>.
</div><div class="para">
To see the version of a currently installed package, use the <code class="command">rpm -q <em class="replaceable"><code>package</code></em></code> command. It will return a result as follows: <code class="command"><em class="replaceable"><code>package-version-release</code></em></code>.
</div></blockquote></div><div class="para">
Note the words in bold italics above — username, domain.name, file-system, package, version and release. Each word is a placeholder, either for text you enter when issuing a command or for text displayed by the system.
</div><div class="para">
Aside from standard usage for presenting the title of a work, italics denotes the first use of a new and important term. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
When the Apache HTTP Server accepts requests, it dispatches child processes or threads to handle them. This group of child processes or threads is known as a <em class="firstterm">server-pool</em>. Under Apache HTTP Server 2.0, the responsibility for creating and maintaining these server-pools has been abstracted to a group of modules called <em class="firstterm">Multi-Processing Modules</em> (<em class="firstterm">MPMs</em>). Unlike other modules, only one module from the MPM group can be loaded by the Apache HTTP Server.
</div></blockquote></div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="id3084879">1.2. Pull-quote Conventions</h3></div></div></div><div class="para">
Two, commonly multi-line, data types are set off visually from the surrounding text.
</div><div class="para">
Output sent to a terminal is set in <code class="computeroutput">Mono-spaced Roman</code> and presented thus:
</div><pre class="screen">
books Desktop documentation drafts mss photos stuff svn
books_tests Desktop1 downloads images notes scripts svgs
</pre><div class="para">
Source-code listings are also set in <code class="computeroutput">Mono-spaced Roman</code> but are presented and highlighted as follows:
</div><pre class="programlisting">
package org.jboss.book.jca.ex1;
import javax.naming.InitialContext;
public class ExClient
{
public static void main(String args[])
throws Exception
{
InitialContext iniCtx = new InitialContext();
Object ref = iniCtx.lookup("EchoBean");
EchoHome home = (EchoHome) ref;
Echo echo = home.create();
System.out.println("Created Echo");
System.out.println("Echo.echo('Hello') = " + echo.echo("Hello"));
}
}
</pre></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="id3043299">1.3. Notes and Warnings</h3></div></div></div><div class="para">
Finally, we use three visual styles to draw attention to information that might otherwise be overlooked.
</div><div class="note"><h2>Note</h2><div class="para">
A note is a tip or shortcut or alternative approach to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
</div></div><div class="important"><h2>Important</h2><div class="para">
Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring Important boxes won't cause data loss but may cause irritation and frustration.
</div></div><div class="warning"><h2>Warning</h2><div class="para">
A Warning should not be ignored. Ignoring warnings will most likely cause data loss.
</div></div></div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="id3046533">2. We Need Feedback!</h2></div></div></div><a id="id3079770" class="indexterm"></a><div class="para">
If you find a typographical error in this manual, or if you have thought of a way to make this manual better, we would love to hear from you! Please submit a report in Bugzilla: <a href="http://bugzilla.redhat.com/bugzilla/">http://bugzilla.redhat.com/bugzilla/</a>
against the product <span class="application"><strong>SELinux.</strong></span>
</div><div class="para">
When submitting a bug report, be sure to mention the manual's identifier: <em class="citetitle">Managing_Confined_Services</em>
</div><div class="para">
If you have a suggestion for improving the documentation, try to be as specific as possible when describing it. If you have found an error, please include the section number and some of the surrounding text so we can find it easily.
</div></div></div><div class="chapter" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Managing_Confined_Services-Trademark_Information">Chapter 1. Trademark Information</h2></div></div></div><div class="para">
<span class="trademark">Linux</span>® is the registered trademark of Linus Torvalds in the U.S. and other countries.
</div><div class="para">
UNIX is a registered trademark of The Open Group.
</div><div class="para">
Type Enforcement is a trademark of Secure Computing, LLC, a wholly owned subsidiary of McAfee, Inc., registered in the U.S. and in other countries. Neither McAfee nor Secure Computing, LLC, has consented to the use or reference to this trademark by the author outside of this guide.
</div><div class="para">
Apache is a trademark of The Apache Software Foundation.
</div><div class="para">
MySQL is a registered trademark of Sun Microsystems in the United States and other countries.
</div><div class="para">
Windows is a registered trademark of Microsoft Corporation in the United States and other countries.
</div><div class="para">
Other products mentioned may be trademarks of their respective corporations.
</div><div class="para">
This guide includes material drawn from the <a href="http://docs.fedoraproject.org/selinux-user-guide/">Fedora 10 Security-Enhanced Linux User Guide</a>. The Fedora 10 Security-Enhanced Linux User Guide was written by Murray McAllister and Daniel Walsh. Technical editors include Dominick Grift, Eric Paris, and James Morris. Refer to the original document for details and the document as it was first released: <a href="http://docs.fedoraproject.org/selinux-user-guide/">http://docs.fedoraproject.org/selinux-user-guide/</a>. Copyright © 2008 Red Hat, Inc.
</div></div><div class="chapter" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Managing_Confined_Services-Introduction">Chapter 2. Introduction</h2></div></div></div><div class="para">
Security-Enhanced Linux (SELinux) refers to files, such as directories and devices, as objects. Processes, such as a user running a command or the <span class="trademark">Mozilla</span>®<span class="trademark"> Firefox</span>® application, are referred to as subjects. Most operating systems use a Discretionary Access Control (DAC) system that controls how subjects interact with objects, and how subjects interact with each other. On operating systems using DAC, users control the permissions of files (objects) that they own. For example, on <span class="trademark">Linux</span>® operating systems, users could make their home directories world-readable, inadvertently giving users and processes (subjects) access to potentially sensitive information.
</div><div class="para">
DAC mechanisms are fundamentally inadequate for strong system security. DAC access decisions are only based on user identity and ownership, ignoring other security-relevant information such as the role of the user, the function and trustworthiness of the program, and the sensitivity and integrity of the data. Each user has complete discretion over their files, making it impossible to enforce a system-wide security policy. Furthermore, every program run by a user inherits all of the permissions granted to the user and is free to change access to the user's files, so no protection is provided against malicious software. Many system services and privileged programs must run with coarse-grained privileges that far exceed their requirements, so that a flaw in any one of these programs can be exploited to obtain complete system access.<sup>[<a id="id3128805" href="#ftn.id3128805" class="footnote">1</a>]</sup>
</div><div class="para">
The following is an example of permissions used on Linux operating systems that do not run Security-Enhanced Linux (SELinux). The permissions in these examples may differ from your system. Use the <code class="command">ls -l</code> command to view file permissions:
</div><pre class="screen">
$ ls -l file1
-rwxrw-r-- 1 user1 group1 0 2009-03-16 14:07 file1
</pre><div class="para">
The first three permission bits, <code class="computeroutput">rwx</code>, control the access the Linux <code class="computeroutput">user1</code> user (in this case, the owner) has to <code class="filename">file1</code>. The next three permission bits, <code class="computeroutput">rw-</code>, control the access the Linux <code class="computeroutput">group1</code> group has to <code class="filename">file1</code>. The last three permission bits, <code class="computeroutput">r--</code>, control the access everyone else has to <code class="filename">file1</code>, which includes all users and processes.
</div><div class="para">
Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Fedora. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information. When properly implemented, it enables a system to adequately defend itself and offers critical support for application security by protecting against the tampering with, and bypassing of, secured applications. MAC provides strong separation of applications that permits the safe execution of untrustworthy applications. Its ability to limit the privileges associated with executing processes limits the scope of potential damage that can result from the exploitation of vulnerabilities in applications and system services. MAC enables information to be protected from legitimate users with limited authorization as well as from au
thorized users who have unwittingly executed malicious applications.<sup>[<a id="id3063918" href="#ftn.id3063918" class="footnote">2</a>]</sup>
</div><div class="para">
The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the <code class="command">ls -Z</code> command:
</div><pre class="screen">
$ ls -Z file1
-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
</pre><div class="para">
In this example, SELinux provides a user (<code class="computeroutput">unconfined_u</code>), a role (<code class="computeroutput">object_r</code>), a type (<code class="computeroutput">user_home_t</code>), and a level (<code class="computeroutput">s0</code>). This information is used to make access control decisions. This example also displays the DAC rules, which are shown in the SELinux context via the <code class="command">ls -Z</code> command. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
</div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><p><sup>[<a id="ftn.id3128805" href="#id3128805" class="para">1</a>] </sup>
"Integrating Flexible Support for Security Policies into the Linux Operating System", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the <a href="http://www.nsa.gov/research/_files/selinux/papers/freenix01/index.shtml">original paper</a> for details and the document as it was first released. Any edits and changes were done by Murray McAllister.
</p></div><div class="footnote"><p><sup>[<a id="ftn.id3063918" href="#id3063918" class="para">2</a>] </sup>
"Meeting Critical Security Objectives with Security-Enhanced Linux", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the <a href="http://www.nsa.gov/research/_files/selinux/papers/ottawa01/index.shtml">original paper</a> for details and the document as it was first released. Any edits and changes were done by Murray McAllister.
</p></div></div></div><div class="chapter" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Managing_Confined_Services-Targeted_policy">Chapter 3. Targeted policy</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Targeted_policy-Type_Enforcement">3.1. Type Enforcement</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Targeted_policy-Confined_processes">3.2. Confined processes</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Targeted_policy-Unconfined_processes">3.3. Unconfined processes</a></span></dt></dl></div><div class="para">
Targeted policy is the default SELinux policy used in Fedora. When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. For example, by default, logged in users run in the <code class="computeroutput">unconfined_t</code> domain, and system processes started by init run in the <code class="computeroutput">initrc_t</code> domain - both of these domains are unconfined.
</div><div class="para">
SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you must tell SELinux how you are running services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy. Boolean configuration is discussed later.
</div><div class="para">
Other changes, such as using non-default directories to store files for services, and changing services to run on non-default port numbers, require policy configuration to be updated via tools such as <code class="command">semanage</code>. This is discussed later using detailed configuration examples.
</div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Managing_Confined_Services-Targeted_policy-Type_Enforcement">3.1. Type Enforcement</h2></div></div></div><div class="para">
Type Enforcement is the main permission control used in SELinux targeted policy. All files and processes are labeled with a type: types define a domain for processes and a type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
</div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Managing_Confined_Services-Targeted_policy-Confined_processes">3.2. Confined processes</h2></div></div></div><div class="para">
Almost every service that listens on a network is confined in Fedora. Also, most processes that run as the root user and perform tasks for users, such as the <span class="application"><strong>passwd</strong></span> application, are confined. When a process is confined, it runs in its own domain, such as the <code class="systemitem">httpd</code> process running in the <code class="computeroutput">httpd_t</code> domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited.
</div><div class="para">
The following example demonstrates how SELinux prevents the Apache HTTP Server (<code class="systemitem">httpd</code>) from reading files that are not correctly labeled, such as files intended for use by Samba. This is an example, and should not be used in production. It assumes that the <span class="package">httpd</span>, <span class="package">wget</span>, <span class="package">setroubleshoot-server</span>, and <span class="package">audit</span> packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
</div><div class="orderedlist"><ol><li><div class="para">
Run the <code class="command">sestatus</code> command to confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used:
</div><pre class="screen">
$ /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 23
Policy from config file: targeted
</pre><div class="para">
<code class="computeroutput">SELinux status: enabled</code> is returned when SELinux is enabled. <code class="computeroutput">Current mode: enforcing</code> is returned when SELinux is running in enforcing mode. <code class="computeroutput">Policy from config file: targeted</code> is returned when the SELinux targeted policy is used.
</div></li><li><div class="para">
As the root user, run the <code class="command">touch /var/www/html/testfile</code> command to create a file.
</div></li><li><div class="para">
Run the <code class="command">ls -Z /var/www/html/testfile</code> command to view the SELinux context:
</div><pre class="screen">-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
</pre><div class="para">
The <code class="filename">testfile</code> file is labeled with the SELinux <code class="computeroutput">unconfined_u</code> user because a Linux user that is mapped to the <code class="computeroutput">unconfined_u</code> SELinux user created the file. Role-Based Access Control (RBAC) is used for processes, not files. Roles do not have a meaning for files - the <code class="computeroutput">object_r</code> role is a generic role used for files (on persistent storage and network file systems). Under the <code class="filename">/proc/</code> directory, files related to processes may use the <code class="computeroutput">system_r</code> role.<sup>[<a id="id3053283" href="#ftn.id3053283" class="footnote">3</a>]</sup> The <code class="computeroutput">httpd_sys_content_t</code> type allows the <code class="systemitem">httpd</code> process to access this file.
</div></li><li><div class="para">
As the root user, run the <code class="command">service httpd start</code> command to start the <code class="systemitem">httpd</code> process. The output is as follows if <code class="systemitem">httpd</code> starts successfully:
</div><pre class="screen"># /sbin/service httpd start
Starting httpd: [ OK ]
</pre></li><li><div class="para">
Change into a directory where your Linux user has write access to, and run the <code class="command">wget http://localhost/testfile</code> command. Unless there are changes to the default configuration, this command succeeds:
</div><pre class="screen">--2009-03-16 23:00:01-- http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
[...1764 lines suppressed...]
# grep rsync /etc/selinux/targeted/contexts/files/file_contexts.local
/etc/rc.d/init.d/rsyncd system_u:object_r:initrc_exec_t:s0
</pre>
</div></li><li><div class="para">
Now use the <code class="filename">restorecon</code> command to apply this context mapping to the running system:
<pre class="screen">
restorecon -R -v /etc/rc.d/init.d/rsyncd
</pre>
</div></li><li><div class="para">
Run the <code class="command">ls</code> to confirm the script has been labeled appropriately. Note that in the following output the script has been labeled as <code class="computeroutput">initrc_exec_t</code>:
<pre class="screen">
ls -lZ /etc/rc.d/init.d/rsyncd
-rwxr-xr-x. root root system_u:object_r:<span class="emphasis"><em>initrc_exec_t</em></span>:s0 /etc/rc.d/init.d/rsyncd
</pre>
</div></li><li><div class="para">
Launch <code class="systemitem">rsyncd</code> via the new script. Now that rsync has started from an init script that has been appropriately labeled, the process will start as <code class="computeroutput">rsync_t</code>:
<pre class="screen">
# /etc/rc.d/init.d/rsync start
Starting rsyncd: [ OK ]
ps -eZ | grep rsync
unconfined_u:system_r:<span class="emphasis"><em>rsync_t</em></span>:s0 9794 ? 00:00:00 rsync
</pre>
SELinux can now enforce its protection mechanisms over the <code class="systemitem">rsync</code> daemon as it is now runing in the <code class="computeroutput">rsync_t</code> domain.
</div></li></ol></div><div class="para">
This example demonstrated how to get <code class="systemitem">rsyncd</code> running in the <code class="computeroutput">rsync_t</code> domain. The next example shows how to get this daemon successfully running on a non-default port. TCP port 10000 is used in the next example.
</div><div class="orderedlist"><h6>Running the rsync daemon on a non-default port</h6><ol><li><div class="para">
Modify the <code class="filename">/etc/rsyncd.conf</code> file and add the <code class="command">port = 10000</code> line at the top of the file in the global configuration area (ie., before any file areas are defined). The new configuration file will look like:
<pre class="screen">
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
<span class="emphasis"><em>port = 10000</em></span>
[files]
path = /srv/files
comment = file area
read only = false
timeout = 300
</pre>
</div></li><li><div class="para">
After launching rsync from the init script with this new setting, a denial similar to the following is logged by SELinux:
<pre class="screen">
Jul 22 10:46:59 localhost setroubleshoot: SELinux is preventing the rsync (rsync_t) from binding to port 10000. For complete SELinux messages. run sealert -l c371ab34-639e-45ae-9e42-18855b5c2de8
</pre>
</div></li><li><div class="para">
Run the <code class="command">semanage</code> command to add TCP port 10000 to SELinux policy in <code class="computeroutput">rsync_port_t</code>:
<pre class="screen">
# semanage port -a -t rsync_port_t -p tcp 10000
</pre>
</div></li><li><div class="para">
Now that TCP port 10000 has been added to SELinux policy for <code class="computeroutput">rsync_port_t</code>, <code class="systemitem">rsyncd</code> will start and operate normally on this port:
<pre class="screen">
# /etc/rc.d/init.d/rsync start
Starting rsyncd: [ OK ]
</pre>
<pre class="screen">
# netstat -lnp | grep 10000
tcp 0 0 0.0.0.0:<span class="emphasis"><em>10000</em></span> 0.0.0.0:* LISTEN 9910/rsync
</pre>
</div></li></ol></div><div class="para">
SELinux has had its policy modified and is now permitting <code class="systemitem">rsyncd</code> to operate on TCP port 10000.
</div></div></div></div><div class="chapter" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Managing_Confined_Services-Postfix">Chapter 14. Postfix</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-rsync-Postfix_and_SELinux">14.1. Postfix and SELinux</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Postfix-Types">14.2. Types</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Postfix-Booleans">14.3. Booleans</a></span></dt><dt><span class="section"><a href="#sect-Managing_Confined_Services-Postfix-Configuration_Examples">14.4. Configuration Examples</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Managing_Confined_Services-Postfix-Configuration_Examples-SpamAssassin_and_Postfix">14.4.1. SpamAssassin and Postfix</a></span></dt></dl></dd></dl></div><div class="para">
From the <a href="http://www.postfix.org/">Postfix</a> project page:
</div><div class="para">
"What is Postfix? It is Wietse Venema's mailer that started life at IBM research as an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and secure. The outside has a definite Sendmail-ish flavor, but the inside is completely different."
</div><div class="para">
In Fedora, the <span class="package">postfix</span> package provides postfix. Run <code class="command">rpm -q postfix</code> to see if the <span class="package">postfix</span> package is installed. If it is not installed, run the following command as the root user to install it:
</div><pre class="screen">
yum install postfix
</pre><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Managing_Confined_Services-rsync-Postfix_and_SELinux">14.1. Postfix and SELinux</h2></div></div></div><div class="para">
When Postfix is enabled, it runs confined by default. Confined processes run in their own domains, and are separated from other confined processes. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited. The following example demonstrates the Postfix and related processes running in their own domain. This example assumes the <span class="package">postfix</span> package is installed and that the Postfix service has been started:
</div><div class="orderedlist"><ol><li><div class="para">
Run <code class="command">getenforce</code> to confirm SELinux is running in enforcing mode:
</div><pre class="screen">
$ getenforce
Enforcing
</pre><div class="para">
The <code class="command">getenforce</code> command returns <code class="computeroutput">Enforcing</code> when SELinux is running in enforcing mode.
</div></li><li><div class="para">
Run <code class="command">service postfix start</code> as the root user to start <code class="systemitem">postfix</code>:
</div><pre class="screen">
service postfix start
Starting postfix: [ OK ]
</pre></li><li><div class="para">
Run <code class="command">ps -eZ | grep postfix</code> to view the <code class="systemitem">postfix</code> processes:
</div><pre class="screen">
ps -eZ | grep postfix
system_u:system_r:postfix_master_t:s0 1651 ? 00:00:00 master
system_u:system_r:postfix_pickup_t:s0 1662 ? 00:00:00 pickup
system_u:system_r:postfix_qmgr_t:s0 1663 ? 00:00:00 qmgr
</pre><div class="para">
For example, the SELinux context associated with the Postfix <code class="systemitem">master</code> process is <code class="computeroutput">unconfined_u:system_r:postfix_master_t:s0</code>. The second last part of the context, <code class="computeroutput">postfix_master_t</code>, is the type for this process. A type defines a domain for processes and a type for files. In this case, the <code class="systemitem">master</code> process is running in the <code class="computeroutput">postfix_master_t</code> domain.
</div></li></ol></div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Managing_Confined_Services-Postfix-Types">14.2. Types</h2></div></div></div><div class="para">
Type Enforcement is the main permission control used in SELinux targeted policy. All files and processes are labeled with a type: types define a domain for processes and a type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
</div><div class="para">
The following types are used with <code class="computeroutput">Postfix</code>. Different types all you to configure flexible access:
</div><div class="variablelist"><dl><dt><span class="term"><code class="computeroutput">postfix_etc_t</code></span></dt><dd><div class="para">
This type is used for configuration files for Postfix in <code class="filename">/etc/postfix</code>.
</div></dd><dt><span class="term"><code class="computeroutput">postfix_data_t</code></span></dt><dd><div class="para">
This type is used for Postfix data files in <code class="filename">/var/lib/postfix</code>.
</div></dd></dl></div><div class="note"><h2>Note</h2><div class="para">
To see the full list of files and their types for Postfix, run the following command:
<pre class="screen">
$ grep postfix /etc/selinux/targeted/contexts/files/file_contexts
</pre>
</div></div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Managing_Confined_Services-Postfix-Booleans">14.3. Booleans</h2></div></div></div><div class="para">
SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you must tell SELinux how you are running services. The following Boolean allows you to tell SELinux how you are running Postfix:
</div><div class="variablelist"><dl><dt><span class="term"><code class="computeroutput">allow_postfix_local_write_mail_spool</code></span></dt><dd><div class="para">
Having this Boolean enables Postfix to write to the local mail spool on the system. Postfix requires this Boolean to be enabled for normal operation when local spools are used.
</div></dd></dl></div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Managing_Confined_Services-Postfix-Configuration_Examples">14.4. Configuration Examples</h2></div></div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Managing_Confined_Services-Postfix-Configuration_Examples-SpamAssassin_and_Postfix">14.4.1. SpamAssassin and Postfix</h3></div></div></div><div class="para">
From the <a href="http://spamassassin.apache.org/">SpamAssassin</a> project page:
</div><div class="para">
"Open Source mail filter, written in Perl, to identify spam using a wide range of heuristic tests on mail headers and body text. Free software."
</div><div class="para">
When using Fedora, the <span class="package">spamassassin</span> package provides SpamAssassin. Run <code class="command">rpm -q spamassassin</code> to see if the <span class="package">spamassassin</span> package is installed. If it is not installed, run the following command as the root user to install it:
</div><pre class="screen">
yum install spamassassin
</pre><div class="para">
SpamAssassin operates in tandom with a mailer such as Postfix to provide spam-filtering capabilities. In order for SpamAssassin to effectively intercept, analyze and filter mail, it must listen on a network interface. The default port for SpamAssassin is TCP/783, however this can be changed. The following example provides a real-world demonstration of how SELinux complements SpamAssassin by only allowing it access to a certain port by default. This example will then demonstrate how to change the port and have SpamAssassin operate on a non-default port.
</div><div class="para">
Note that this is an example only and demonstrates how SELinux can affect a simple configuration of SpamAssassin. Comprehensive documentation of SpamAssassin is beyond the scope of this document. Refer to the official <a href="http://spamassassin.apache.org/doc.html">SpamAssassin documentation</a> for further details. This example assumes the <span class="package">spamassassin</span> is installed, that any firewall has been configured to allow access on the ports in use, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
</div><div class="orderedlist"><h6>Running SpamAssassin on a non-default port</h6><ol><li><div class="para">
Run the <code class="command">semanage</code> command to show the port that SELinux allows <code class="systemitem">spamd</code> to listen on by default:
</div><pre class="screen">
# semanage port -l | grep spamd
spamd_port_t tcp 783
</pre><div class="para">
This output shows that TCP/783 is defined in <code class="computeroutput">spamd_port_t</code> as the port for SpamAssassin to operate on.
</div></li><li><div class="para">
Edit the <code class="filename">/etc/sysconfig/spamassassin</code> configuration file and modify it so that it will start SpamAssassin on the example port TCP/10000:
</div><pre class="screen">
# Options to spamd
SPAMDOPTIONS="-d -p 10000 -c m5 -H"
</pre><div class="para">
This line now specifies that SpamAssassin will operate on port 10000. The rest of this example will show how to modify SELinux policy to allow this socket to be opened.
</div></li><li><div class="para">
Start SpamAssassin and an error message similar to the following will appear:
</div><pre class="screen">
/etc/init.d/spamassassin start
Starting spamd: [2203] warn: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:10000: Permission denied
[2203] warn: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:10000: Permission denied
[2203] error: spamd: could not create INET socket on 127.0.0.1:10000: Permission denied
spamd: could not create INET socket on 127.0.0.1:10000: Permission denied
[FAILED]
</pre><div class="para">
This output means that SELinux has blocked access to this port.
</div></li><li><div class="para">
A denial similar to the following will be logged by SELinux:
</div><pre class="screen">
SELinux is preventing the spamd (spamd_t) from binding to port 10000.
</pre></li><li><div class="para">
As the root user, run the <code class="command">semanage</code> command to modify SELinux policy in order to allow SpamAssassin to operate on the example port (TCP/10000):
</div><pre class="screen">
semanage port -a -t spamd_port_t -p tcp 10000
</pre></li><li><div class="para">
Confirm that SpamAssassin will now start and is operating on TCP port 10000:
<pre class="screen">
# /etc/init.d/spamassassin start
Starting spamd: [ OK ]
# netstat -lnp | grep 10000
tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN 2224/spamd.pid
</pre>
</div></li><li><div class="para">
At this point, <code class="systemitem">spamd</code> is properly operating on TCP port 10000 as it has been allowed access to that port by SELinux policy.
</div></li></ol></div></div></div></div><div class="chapter" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Managing_Confined_Services-References">Chapter 15. References</h2></div></div></div><div class="para">
The following references are pointers to additional information that is relevant to SELinux but beyond the scope of this guide. Note that due to the rapid development of SELinux, some of this material may only apply to specific releases of Fedora.
</div><div class="variablelist" id="vari-Managing_Confined_Services-References-Books"><h6>Books</h6><dl><dt><span class="term">SELinux by Example</span></dt><dd><div class="para">
Mayer, MacMillan, and Caplan
</div><div class="para">
Prentice Hall, 2007
</div></dd><dt><span class="term">SELinux: NSA's Open Source Security Enhanced Linux</span></dt><dd><div class="para">
Bill McCarty
</div><div class="para">
O'Reilly Media Inc., 2004
</div></dd></dl></div><div class="variablelist" id="vari-Managing_Confined_Services-References-Tutorials_and_Help"><h6>Tutorials and Help</h6><dl><dt><span class="term">Tutorials and talks from Russell Coker</span></dt><dd><div class="para">
<a href="http://www.coker.com.au/selinux/talks/ibmtu-2004/">http://www.coker.com.au/selinux/talks/ibmtu-2004/</a>
</div></dd><dt><span class="term">Dan Walsh's Journal</span></dt><dd><div class="para">
<a href="http://danwalsh.livejournal.com/">http://danwalsh.livejournal.com/</a>
</div></dd><dt><span class="term">Red Hat Knowledgebase</span></dt><dd><div class="para">
<a href="http://kbase.redhat.com/">http://kbase.redhat.com/</a>
</div></dd></dl></div><div class="variablelist" id="vari-Managing_Confined_Services-References-General_Information"><h6>General Information</h6><dl><dt><span class="term">NSA SELinux main website</span></dt><dd><div class="para">
<a href="http://www.nsa.gov/research/selinux/index.shtml">http://www.nsa.gov/research/selinux/index.shtml</a>
</div></dd><dt><span class="term">NSA SELinux FAQ</span></dt><dd><div class="para">
<a href="http://www.nsa.gov/research/selinux/faqs.shtml">http://www.nsa.gov/research/selinux/faqs.shtml</a>
</div></dd></dl></div><div class="variablelist" id="vari-Managing_Confined_Services-Mailing_Lists"><h6>Mailing Lists</h6><dl><dt><span class="term">NSA SELinux mailing list</span></dt><dd><div class="para">
<a href="http://www.nsa.gov/research/selinux/list.shtml">http://www.nsa.gov/research/selinux/list.shtml</a>
</div></dd><dt><span class="term">Fedora SELinux mailing list</span></dt><dd><div class="para">
<a href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list">http://www.redhat.com/mailman/listinfo/fedora-selinux-list</a>
</div></dd></dl></div><div class="variablelist" id="vari-Managing_Confined_Services-References-Community"><h6>Community</h6><dl><dt><span class="term">Fedora SELinux User Guide</span></dt><dd><div class="para">
<a href="http://docs.fedoraproject.org/selinux-user-guide/">http://docs.fedoraproject.org/selinux-user-guide/</a>
</div></dd><dt><span class="term">SELinux Project Wiki</span></dt><dd><div class="para">
<a href="http://selinuxproject.org/page/Main_Page">http://selinuxproject.org/page/Main_Page</a>
</div></dd><dt><span class="term">SELinux community page</span></dt><dd><div class="para">
<a href="http://selinux.sourceforge.net/">http://selinux.sourceforge.net/</a>
</div></dd><dt><span class="term">IRC</span></dt><dd><div class="para">
irc.freenode.net, #selinux and #fedora-selinux
</div></dd></dl></div></div></div></body></html>
- Previous message (by thread): web/html/docs/selinux-managing-confined-services-guide/en-US/F11/html-single/Common_Content/css common.css, NONE, 1.1 default.css, NONE, 1.1 overrides.css, NONE, 1.1
- Next message (by thread): web/html/docs/selinux-managing-confined-services-guide/en-US/F11/html/images icon.svg, NONE, 1.1 shares_listing.png, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-docs-commits
mailing list