Fwd: newer postfix on RHEL5 (selinux policy)
Manuel Wolfshant
wolfy at nobugconsulting.ro
Sat Apr 16 01:03:09 UTC 2011
On 04/15/2011 11:22 PM, Stephen John Smoogen wrote:
> Asked Daniel Walsh what would be needed for a postfix2x policy. I am
> wondering if we added the policy to the rpm with instructions on how
> to install it would be ok?
>
Extremely ugly, against the common usage in RHEL and Fedora but
functional. I could live with that if properly triggered from
%postinstall and if the custom policy would be removed when
uninstalling the package
Manuel
> ---------- Forwarded message ----------
> From: Daniel J Walsh<dwalsh at redhat.com>
> Date: Thu, Apr 14, 2011 at 12:55
> Subject: Re: newer postfix on RHEL5 (selinux policy)
> To: Stephen John Smoogen<smooge at gmail.com>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/14/2011 12:44 PM, Stephen John Smoogen wrote:
>> So people in EPEL is looking at packaging a newer postfix for RHEL4/5
>> as it has features they need. The problem though is with an selinux
>> policy for it as we would like to have it sit in parallel directories
>> and not conflict with the RHEL postfix. What would be the best ways to
>> make a policy for the systems (if it can only be RHEL5 oh well).
>>
> Just copy he existing file context files and change the path.
>
> In RHEL5 you could just add the labels using semanage or better would be
> to install a pp file You need a one liner for postfix.te. Then just
> include a postfixnew.fc file with new paths. The type definition should
> remain the same. You would also need to run restorecon on the paths
> after you install the policy module.
>
>
> cat postfixnew.te
> policy_module(postfixnew,1.0)
>
> cat postfixnew.fc
> # postfix
> /etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
> ifdef(`distro_redhat', `
> /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
> /usr/libexec/postfix/cleanup --
> gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
> /usr/libexec/postfix/lmtp --
> gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> /usr/libexec/postfix/local --
> gen_context(system_u:object_r:postfix_local_exec_t,s0)
> /usr/libexec/postfix/master --
> gen_context(system_u:object_r:postfix_master_exec_t,s0)
> /usr/libexec/postfix/pickup --
> gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
> /usr/libexec/postfix/(n)?qmgr --
> gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
> /usr/libexec/postfix/showq --
> gen_context(system_u:object_r:postfix_showq_exec_t,s0)
> /usr/libexec/postfix/smtp --
> gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> /usr/libexec/postfix/scache --
> gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> /usr/libexec/postfix/smtpd --
> gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
> /usr/libexec/postfix/bounce --
> gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
> /usr/libexec/postfix/pipe --
> gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
> /usr/libexec/postfix/virtual --
> gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
> ', `
> /usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
> /usr/lib/postfix/cleanup --
> gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
> /usr/lib/postfix/local --
> gen_context(system_u:object_r:postfix_local_exec_t,s0)
> /usr/lib/postfix/master --
> gen_context(system_u:object_r:postfix_master_exec_t,s0)
> /usr/lib/postfix/pickup --
> gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
> /usr/lib/postfix/(n)?qmgr --
> gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
> /usr/lib/postfix/showq --
> gen_context(system_u:object_r:postfix_showq_exec_t,s0)
> /usr/lib/postfix/smtp --
> gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> /usr/lib/postfix/lmtp --
> gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> /usr/lib/postfix/scache --
> gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> /usr/lib/postfix/smtpd --
> gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
> /usr/lib/postfix/bounce --
> gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
> /usr/lib/postfix/pipe --
> gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
> ')
> /etc/postfix/postfix-script.* --
> gen_context(system_u:object_r:postfix_exec_t,s0)
> /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
> /usr/sbin/postalias --
> gen_context(system_u:object_r:postfix_master_exec_t,s0)
> /usr/sbin/postdrop --
> gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
> /usr/sbin/postfix --
> gen_context(system_u:object_r:postfix_master_exec_t,s0)
> /usr/sbin/postkick --
> gen_context(system_u:object_r:postfix_master_exec_t,s0)
> /usr/sbin/postlock --
> gen_context(system_u:object_r:postfix_master_exec_t,s0)
> /usr/sbin/postlog --
> gen_context(system_u:object_r:postfix_master_exec_t,s0)
> /usr/sbin/postmap --
> gen_context(system_u:object_r:postfix_map_exec_t,s0)
> /usr/sbin/postqueue --
> gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
> /usr/sbin/postsuper --
> gen_context(system_u:object_r:postfix_master_exec_t,s0)
> /var/lib/postfix(/.*)?
> gen_context(system_u:object_r:postfix_var_lib_t,s0)
> /var/run/postfix(/.*)?
> gen_context(system_u:object_r:postfix_var_run_t,s0)
>
> /var/spool/postfix(/.*)?
> gen_context(system_u:object_r:postfix_spool_t,s0)
> /var/spool/postfix/maildrop(/.*)?
> gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
> /var/spool/postfix/pid/.*
> gen_context(system_u:object_r:postfix_var_run_t,s0)
> /var/spool/postfix/private(/.*)?
> gen_context(system_u:object_r:postfix_private_t,s0)
> /var/spool/postfix/public(/.*)?
> gen_context(system_u:object_r:postfix_public_t,s0)
> /var/spool/postfix/bounce(/.*)?
> gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
> /var/spool/postfix/flush(/.*)?
> gen_context(system_u:object_r:postfix_spool_flush_t,s0)
> dwalsh at lo
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2nQyEACgkQrlYvE4MpobOYOwCgwZslQGC0Xn/t3ql3TpoyWNKg
> lYwAn34zsszGEnTQS2pFSzuvlQQNXe6Z
> =CrdE
> -----END PGP SIGNATURE-----
>
>
>
More information about the epel-devel-list
mailing list