SeLinux and mail relaying

[David G. Miller]

redhatdude at bellsouth.net wrote:

>Well, I'm stuck here if there's no easy way to fix my problem. I  
>can't understand how daemons such as syslogd or crond are not allowed  
>to send emails through postfix. I'm only left with an option, disable  
>selinux, which sucks. I tried to read the documentation and it's a  
>lot to swallow. On top of that, FC5 has different locations for all  
>those files, different from what the selinux documentation says. For  
>example, I don't have a src directory inside /etc/selinux/targeted/  
>and there's no single file ending with .te in my system.
>This is frustrating. Thanks for your help Dave
>EJ
>
>PS. The selinux list is completely dead, one email in 24 hours. So  
>much for getting help there.
>
Sorry.  Been long enough since I went through all of this that I didn't 
remember some of the details.  There is a ruleset source RPM you need to 
install to be able to create a custom ruleset.  Something like "yum 
install selinux-policy-targeted-sources" should get you the source for 
the stock targeted ruleset and the ability to make changes via a custom 
ruleset.  It will also create the required directory structure under 
/etc/selinux/targeted/.  The memory of the pain is all coming back to me 
now.... 

Not sure what the scoop is on postfix since "standard" RPMs tend to come 
with any required SELinux rulesets for them to at least work doing 
default behavior (e.g., if you install httpd you can set up a simple web 
server but any "interesting" CGI behavior requires customizing the 
ruleset).  audit2allow is your friend here since you can just turn off 
enforcing mode and see what complaints SELinux generates, run 
audit2allow to find out what ruleset changes are required and, most of 
the time, just add the suggested rules to local.te.

Cheers,
Dave

-- 
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce