Hi,
> -----Original Message-----
> From: fedora-selinux-list-bounces at redhat.com
[mailto:fedora-selinux-list-
> bounces at redhat.com] On Behalf Of Shintaro Fujiwara
> Sent: Monday, July 02, 2007 2:48 PM
> To: fedora-selinux-list
> Subject: Re: httpd can't send mails
>
>
> If you using postfix, here's what I did.
> I made interface for postfix.
>
> ########################################
> ## <summary>
> ## for xoops sending mail from postfix.
> ## </summary>
> ## <param name="domain">
> ## Domain allowed to sending mails.
> ## </param>
> #
>
> interface(`xoops_send_mail_by_postfix',`
> gen_require(`
> type bin_t;
> type smtp_port_t;
> type sendmail_exec_t;
> ')
> allow $1 bin_t:dir search;
> allow $1 smtp_port_t:tcp_socket { name_connect send_msg
> recv_msg };
> allow $1 sendmail_exec_t:file { execute execute_no_trans
getattr
> read };
> ')
>
If you have the full reference policy source you should use defined
interfaces instead of breaking encapsulation of the types. For example,
you can rewrite your interface without any requires as:
interface(`xoops_send_mail_by_postfix',`
corecmd_search_bin($1)
corenet_tcp_connect_smtp_port($1)
corenet_tcp_sendrecv_smtp_port($1)
mta_exec($1)
')
David