Targeted strategy guidance needed

[Gary Kopp]

Would someone on this list be able to take a moment to give me a sanity
check and tell me if I'm on the right track? I'm configuring a RHEL4 server
to be an Internet-facing web/mail server. It will run httpd, postfix, and
courier-imap. Most application logic (including any requirement for SQL
access) will live on other servers that I'm not concerned about in the
context of SELinux, but this web server will probably have to run one PHP
application (Blog:CMS). I desire this web server to be as secure as
possible. 

I have not yet mastered the intricacies of SELinux (but I'm working on
that), and I thought that by using Red Hat's targeted SELinux policy I'd
have a head start. I also thought this would leverage my investment in the
Red Hat Enterprise Linux support contract, being able to turn to Red Hat
support for help. I have since found out that my support agreement (SLA)
does not cover any SELinux issues arising from a modified targeted policy.

And right out of the chute I see that I can't live with the targeted policy
as delivered, and need to tweak it. For example, this server uses syslog-ng,
and the targeted policy is already complaining. Red Hat's SELinux Guide
offers instructions on how to add rules to local.te to get around minor
issues like this, and I'm willing to do that, but then I'll have no support
from Red Hat directly. I also anticipate that my httpd config may require
some policy tweaks (e.g., I'm thinking of putting Apache logs in a
non-standard location).

Next, the delivered targeted policy doesn't constrain postfix (it seems to
reference postfix, but then aliases it to unconfined). Again, the Guide
suggests I could write new policy specifically for something like postfix,
in essence extending the targeted policy. Interestingly, I see that the
gentoo project has a whole bunch of SELinux policies available, including
one for postfix. A side question I have is: does it make sense to adapt/use
the policies available in the gentoo project to extend the targeted policy
for new processes, or is that a bad idea?

I'm assuming that the RHEL targeted policy and the FC policy, the subject of
this mailing list, are one and the same, and therefore I'm not out of line
coming to this list.  Am I correct?  As a RHEL user rather than a FC user
can I still use this list as a resource?

OK, here's my fundamental question: Given what I'm trying to achieve, is my
proper approach to start tweaking and extending the delivered targeted
policy? Is that commonly done, or should I be looking at some other strategy
to meet my needs?

I'll be grateful for any advice anyone would like to offer. TIA

--Gary Kopp