pyzor and SELinux

Paul Howarth paul at city-fan.org
Mon Mar 20 12:09:40 UTC 2006


Craig White wrote:
> On Sat, 2006-03-18 at 22:45 -0800, Antony Nguyen wrote:
> 
>>Hi Craig,
>>
>>On Sat, 18 Mar 2006, Craig White wrote:
>>
>>
>>>>Can anyone give me a hint as to how to add an selinux policy for pyzor or
>>>>enable its ability to resolve names?
>>>>
>>>
>>>----
>>>try this...
>>>
>>>yum install selinux-policy-targeted-sources
>>>cd /etc/selinux/targeted/src/policy
>>>audit2allow -d >> domains/local.te
>>>make reload
>>>
>>>I won't explain and I'm just guessing that will work for you.
>>
>>Thanks, that seems to have done the trick.  I'm running auditd so I 
>>actually used:
>>
>>audit2allow -i /var/log/audit/audit.lg >> domains/misc/local.te
>>
>>This begs the question though:  should this be part of the 
>>spamassassin/pyzor policy shipped with Fedora?  I pretty much used
>>the standard FC4 installation of spamassassin (spamd) and pyzor
>>(not pyzord) with the only configuration on my part was running
>>'pyzor discover' as root to download the pyzor server list.
>>Should I submit this as a 'bug' or RFE to the SELinux guru, or is
>>this local policy considered to be a regular sysadmin task that
>>we'll just have to deal with?
>>
> 
> ----
> I honestly don't know...Paul will probably check in before too
> long...he's very sharp on selinux and might be able to give you a better
> answer than I can.

I'd be interesting to see what's actually in 
/etc/selinux/targeted/src/policy/domains/local.te

The right thing to do is to figure out if what pyzor is trying to do 
*should* be allowed, and:

(*) if it should, raise a bug on selinux-policy-targeted
(*) if it shouldn't, raise a bug on pyzor

I think there have been a lot of issues with SELinux and SpamAssassin in 
FC4, possibly because SA has lots of optional features (some of which 
require perl modules from Extras) and it can be used in many different 
ways (e.g. using spamd, straight from procmail, in a sendmail milter 
etc.). Enumerating all of the things it *should* be allowed to do is not 
an easy task, but the more people that raise bugs on it when they 
discover them, the better the default policy will be.

Incidentally, policy tweaking in FC5 will be completely different; the 
sources are not provided (apart from SRPMs, as per the kernel), and 
SELinux policy modules are available instead.

http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow

Paul.




More information about the fedora-list mailing list