postfix, procmail and SELinux - No Go
Paul Howarth
paul at city-fan.org
Tue Jun 27 15:39:40 UTC 2006
Marc Schwartz wrote:
> On Mon, 2006-06-26 at 22:56 +0100, Paul Howarth wrote:
>> On Mon, 2006-06-26 at 12:47 -0500, Marc Schwartz (via MN) wrote:
>
> <snip>
>
>>>> Can you check that the dccproc being invoked by spamassassin is the one
>>>> in /usr/local/bin and that its context type is dcc_client_exec_t?
>>> dccproc only exists in two locations:
>>>
>>> /var/dcc/build/dcc/dccproc/dccproc
>>>
>>> and
>>>
>>> /usr/local/bin/dccproc
>>>
>>> The former is where dcc does it's build each night.
>>>
>>>
>>> It was:
>>>
>>> user_u:object_r:bin_t
>>>
>>> I ran restorecon on it and now:
>>>
>>> system_u:object_r:dcc_client_exec_t
>>>
>>>
>>> However, thinking that the build process might change the context, I
>>> manually ran updatedcc via sudo from the CLI. Sure enough, the context
>>> is back to:
>>>
>>> user_u:object_r:bin_t
>>>
>>> So the change in context will occur every night. :-(
>>>
>>> Should I add a restorecon to crontab after updatedcc runs?
>> Yes.
>
> Done. This takes place 10 minutes after updatedcc runs, in case there is
> some delay in the download. I moved the pyzor update to 1:15 am and the
> razor update stays at 1:20 am.
>
>>> Also, there is some configuration info here:
>>>
>>> http://www.rhyolite.com/anti-spam/dcc/dcc-tree/INSTALL.html
>>>
>>> where some settings (ie. UID) might be apropos here. If something makes
>>> sense to change, let me know.
>> It looks tricky. There's one script that both compiles and then installs
>> the updated version. It only needs to be root to do the install, and
>> would need changing to split the functionality.
>
> Agreed. Without fundamentally changing the script, this would be
> problematic.
I think a better updating option would be to get dcc into a third-party
repository and use the usual yum method to update the software.
Whilst it's not free software and hence unsuitable for Extras, I don't
think the license would prevent it being packaged somewhere else.
Paul.
More information about the fedora-selinux-list
mailing list