[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: postfix, procmail and SELinux - No Go



Getting postfix + procmail + selinux to work is hard as :
- the postfix bits are exposed to the external world so they have tight
permissions
- procmail is essentially a script multiplexer, not good at all from a
security perspective every action added to the procmailrc needs to have
been predicted, audited and authorized by the policy authors
- procmailrc is in /home, default policy dontaudits a lot of the stuff
happening there
- selinux policy authors don't seem to run or test this combo

I spent weeks reporting bugs on this before FC5 - every selinux update
seemed to break procmail + postfix in new mysterious ways. If you find
the time to get the Fedora Devel policy ironed out for postfix +
procmail and manage somewhat to convince policy authors to check they
don't break it every other release I'll be very grateful.

I don't have too much time nowadays so I've stopped testing for a few
months

-- 
Nicolas Mailhot

Attachment: signature.asc
Description: Ceci est une partie de message numériquement signée


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]