postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Mon Jun 12 16:40:20 UTC 2006


Marc Schwartz wrote:
> On Wed, 2006-06-07 at 13:12 -0500, Marc Schwartz (via MN) wrote:
>> On Wed, 2006-06-07 at 17:56 +0100, Paul Howarth wrote:
>>> On Wed, 2006-06-07 at 12:20 -0400, Daniel J Walsh wrote:
>>>> I will be turning on dcc and razor policy in next rawhide update.  This 
>>>> should cover some of the problems you are having.  Please send
>>>> me all of your policy so that I can get it in the upstream pool.
>>> We may need to do some rework then, since what we have, particularly for
>>> dcc, is getting the dcc client to work in spamd when running in the
>>> spamd domain. By turning on the dcc policy, this will all change.
>>>
>>> Similarly, Mark seems to be running razor from pyzor, so the policy
>>> tweaks have been for getting razor working as pyzor_t.
>>>
>>> I can send you what we've got so far, but it'll be of limited
>>> usefulness. Perhaps more useful would be if Mark could let you know
>>> where the various files/programs are installed to in the upstream
>>> default configuration (and his config, if different), so that the file
>>> contexts in policy can be right first time.
>> <snip of policies>
>>
>> Paul and Dan,
>>
>> As of this moment, now running in Enforcing Mode, the following are
>> known to work with Paul's policies and context changes:
>>
>>   Incoming multiple POP3 account mail via fetchmail is working.
>>   fetchmail, BTW, runs every 2 mins. from my own crontab file, not the
>>   system crontab, using ~/.fetchmailrc.
>>
>>   Outgoing mail via company SMTP server is working
>>
>>   Mail forwarding off my laptop via procmail/postfix is working
>>
>>   Clamassassin is working
>>
>>   Spamassassin is working
>>
>>
>> I have not yet had any Viagra-like e-mails to be able to test the other
>> remote servers (ie. pyzor, razor and DCC) to check for function.
>> Hopefully some with come through today (why can't you get them when you
>> want them....  ;-).
> 
> Just a quick update here that so far, I can add:
> 
>   DCC is working
> 
>   Pyzor is working
> 
> to the list.
> 
> So far, no confirmed hits on Razor2 or RBL's (ie. SpamCop).
> 
> I have temporarily modified some of the SA generated e-mail headers via
> add_header in user_prefs so that I can keep better track of these things
> specifically.
> 
> I'll post more when I can confirm the remaining tests.

At this point it might be worth trying to remove some of the "strange" 
policy items, such as:

allow postfix_master_t man_t:file getattr;

and see what, if anything fails. By doing this we might get some insight 
into what is actually happening, or if nothing breaks, we could 
dontaudit it instead of allowing it.

Paul.




More information about the fedora-selinux-list mailing list