[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

RE: httpd can't send mails

From: Shintaro Fujiwara <shin216 xf7 so-net ne jp>
To: David Caplan <dac tresys com>, fedora-selinux-list <fedora-selinux-list redhat com>
Cc:
Subject: RE: httpd can't send mails
Date: Wed, 04 Jul 2007 08:16:47 +0900

> Hi,
> 
> > -----Original Message-----
> > From: fedora-selinux-list-bounces redhat com
> [mailto:fedora-selinux-list-
> > bounces redhat com] On Behalf Of Shintaro Fujiwara
> > Sent: Monday, July 02, 2007 2:48 PM
> > To: fedora-selinux-list
> > Subject: Re: httpd can't send mails
> > 
> > 
> > If you using postfix, here's what I did.
> > I made interface for postfix.
> > 
> > ########################################
> > ## <summary>
> > ##      for xoops sending mail from postfix.
> > ## </summary>
> > ## <param name="domain">
> > ##      Domain allowed to sending mails.
> > ## </param>
> > #
> > 
> > interface(`xoops_send_mail_by_postfix',`
> >         gen_require(`
> >                 type bin_t;
> >                 type smtp_port_t;
> >                 type sendmail_exec_t;
> >         ')
> >         allow $1 bin_t:dir search;
> >         allow $1 smtp_port_t:tcp_socket { name_connect send_msg
> > recv_msg };
> >         allow $1 sendmail_exec_t:file { execute execute_no_trans
> getattr
> > read };
> > ')
> > 
> 
> If you have the full reference policy source you should use defined
> interfaces instead of breaking encapsulation of the types. For example,
> you can rewrite your interface without any requires as:
> 
> interface(`xoops_send_mail_by_postfix',`
> 
>         corecmd_search_bin($1)
> 
>         corenet_tcp_connect_smtp_port($1)
>         corenet_tcp_sendrecv_smtp_port($1)
> 
>         mta_exec($1)
> ')
> 
> David

Thanks !

That's what I'm aiming at in near future.

As a matter of fact, I printed every interfaces and felt at a loss,
because of its thickness.

In what page or Software can I find those defined interfaces ?
SLIDE ?

I once wrote such a software named segatex...

Why audit2allow is just echoing raw access vectors and not interfaces ?
I think if audit2allow has such an option, it would be more convenient
and rewarding.

Maybe I should rewrite my own program ...segatex...by this
summer,though.
Or are there other project doing the same thing?
Karl's project?

http://sourceforge.net/projects/segatex/

http://intrajp.no-ip.com    my homepage


Officer,System-Information,Signal School, JGSDF

Follow-Ups:
- refpolicy interfaces (was RE: httpd can't send mails)
  - From: David Caplan
- RE: httpd can't send mails
  - From: Stephen Smalley

References:
- RE: httpd can't send mails
  - From: David Caplan

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]