Re: postfix sendmail and GeoIP

[Manuel Wolfshant <wolfy nobugconsulting ro>]

Stefan Schulze Frielinghaus wrote:
> > I ran audit2allow -M  which produced the following policy:
> >
> >     module postfixSendmail 1.0;
> >
> >     require {
> >             type system_mail_t;
> >             type usr_t;
> >             class file read;
> >     }
> >
> >     #============= system_mail_t ==============
> >     allow system_mail_t usr_t:file read;
> >
> > I don't think allowing postfix.sendmail to read all files of type usr_t 
> > is the right thing to do, yet, I do need to allow postfix.sendmail to 
> > read the GeoIP data file.
> >
> > Any suggestions?
> >     
>
> I think it's not a big problem allowing _read_ of usr_t files. If you
> really want to separate these files from others you could create a new
> type. But like I already mentioned usr_t files do not hold any
> confidential information (or at least they shouldn't). IMHO I would
> allow read access.
>
> -Stefan
>
> --
>   
+ you could also add into equation the  good old pre-selinux attributes 
and allow postfix.sendmail to read only from the desired dir.  either 
setfacl or chmod o-rwx plus chgrp (or variants of this combination) 
would help here.