postfix, procmail and SELinux - No Go
Marc Schwartz (via MN)
mschwartz at mn.rr.com
Wed Jun 21 14:29:23 UTC 2006
On Wed, 2006-06-21 at 08:20 +0100, Paul Howarth wrote:
> OK, here's an updated version of mypyzor.te:
>
> policy_module(mypyzor, 0.1.3)
>
> require {
> type pyzor_t;
> type pyzor_exec_t;
> type pyzor_port_t;
> type spamd_t;
> };
>
> # temp files
> type pyzor_tmp_t;
> files_tmp_file(pyzor_tmp_t)
>
> # Allow pyzor to create and use temp files and dirs
> allow pyzor_t pyzor_tmp_t:dir create_dir_perms;
> allow pyzor_t pyzor_tmp_t:file create_file_perms;
> files_type(pyzor_tmp_t)
> files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
>
> # Allow pyzor to read config (and any other file...)
> # from user home directories
> userdom_read_unpriv_users_home_content_files(pyzor_t)
>
> # Allow pyzor to read /dev/urandom
> dev_read_urand(pyzor_t)
>
> # Allow pyzor to send and receive pyzor messages!
> allow pyzor_t pyzor_port_t:udp_socket send_msg;
> allow pyzor_t pyzor_port_t:udp_socket recv_msg;
>
> # Allow spamd to signal pyzor (kill/hup ?)
> allow spamd_t pyzor_t:process signal;
>
> # This doesn't seem to break anything
> dontaudit spamd_t pyzor_exec_t:file getattr;
>
> # Allow pyzor to ...?
> corecmd_search_bin(pyzor_t)
> kernel_read_kernel_sysctls(pyzor_t)
> # It does a getattr on /usr/bin/time for reasons unknown...
> # Would be nice to know if changing these from
> # allow to dontaudit causes any breakage
> allow pyzor_t bin_t:dir getattr;
> allow pyzor_t bin_t:file getattr;
>
> # Pyzor/python probably doesn't need to be able to read /proc/meminfo
> kernel_dontaudit_list_proc(pyzor_t)
> kernel_dontaudit_read_system_state(pyzor_t)
Paul,
I have made the change and all seems well so far.
Note that the version you have above is the same as the prior version.
So I bumped it 0.2.0 arbitrarily, unless you have an alternative
versioning schema that you want to stay with.
Thanks,
Marc
More information about the fedora-selinux-list
mailing list