SeLinux and mail relaying
David G. Miller
dave at davenjudy.org
Sat Jul 8 13:48:36 UTC 2006
redhatdude at bellsouth.net wrote:
> So far no answer from the selinux list, it doesn't seem to have much
> activity that list. Can someone here help me out with this issue?
> Thanks, EJ On Jul 7, 2006, at 4:15 PM, Paul Howarth wrote:
>
>>> On Fri, 2006-07-07 at 14:13 -0400, redhatdude at bellsouth.net wrote:
>>
>>
>>>>> Hi,
>>>>> While trying to set up a mail cgi script, I discovered that Selinux
>>>>> is not allowing relaying mail from anything but postfix. I realized
>>>>> this when I turned off selinux and I started getting the result of
>>>>> cron jobs and other similar system emails.
>>>>> So my question is , how can I make selinux allow programs other than
>>>>> postfix and cyrus to relay emails?
>>>
>>>
>>>
>>> You need to raise this on fedora-selinux-list.
>>>
>>> If it's a policy issue, the right people will see it there.
>>>
>>> Paul.
>>>
>>>
>>>
>>
Lots of differences between our two setups since I'm running sendmail
and you're running postfix but I ran into a similar problem when I
wanted to get DSPAM working. The following are the rulesets that
"audit2allow" came up with to make things work:
cat /etc/selinux/targeted/src/policy/domains/misc/local.te
allow httpd_sys_script_t httpd_t:dir getattr;
allow httpd_sys_script_t initrc_t:dir getattr;
allow httpd_sys_script_t initrc_var_run_t:file read;
allow httpd_sys_script_t mysqld_t:dir getattr;
allow httpd_sys_script_t ntpd_t:dir getattr;
allow httpd_sys_script_t portmap_t:dir getattr;
allow httpd_sys_script_t syslogd_t:dir getattr;
# Next generated by audit2allow but causes compilation error. DSPAM appears
# to work OK without it.
# allow httpd_sys_script_t unconfined_t:dir getattr;
allow httpd_sys_script_t usr_t:dir { add_name remove_name write };
allow httpd_sys_script_t usr_t:file { append create lock unlink write };
allow httpd_t httpd_sys_content_t:file execute;
allow ndc_t named_zone_t:file { getattr read };
allow httpd_sys_script_t httpd_t:dir search;
allow httpd_sys_script_t initrc_t:dir search;
allow httpd_sys_script_t initrc_var_run_t:file lock;
allow httpd_sys_script_t mysqld_t:dir search;
allow httpd_sys_script_t ntpd_t:dir search;
allow httpd_sys_script_t portmap_t:dir search;
allow httpd_sys_script_t syslogd_t:dir search;
You can see from my comments that this was somewhat of a trial and error
approach to making DSPAM work. For DSPAM, I also had to play with
regular directory permissions and ownership within /var/spool/mail and
the DSPAM directories. Finally, my regular admin mail (cron jobs,
logwatch, etc.) all worked fine without these rule changes so it sounds
like you may have other SELinux issues.
Put the rules into
/etc/selinux/targeted/src/policy/domains/misc/local.te and then do a
make, make install in /etc/selinux/targeted/src/policy/. If these rules
don't work, you can use the same methodology I used: turn off SELinux
enforcement and perform the actions you're interested in then run
audit2allow to see what local rules you need. Be advised that the local
rules that audit2allow creates may be loser than necessary and may open
a vulnerability.
Cheers,
Dave
--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce
More information about the fedora-list
mailing list