httpd can't send mails
Shintaro Fujiwara
shin216 at xf7.so-net.ne.jp
Thu Jul 5 13:46:30 UTC 2007
> On Wed, 2007-07-04 at 08:16 +0900, Shintaro Fujiwara wrote:
> > > Hi,
> > >
> > > > -----Original Message-----
> > > > From: fedora-selinux-list-bounces at redhat.com
> > > [mailto:fedora-selinux-list-
> > > > bounces at redhat.com] On Behalf Of Shintaro Fujiwara
> > > > Sent: Monday, July 02, 2007 2:48 PM
> > > > To: fedora-selinux-list
> > > > Subject: Re: httpd can't send mails
> > > >
> > > >
> > > > If you using postfix, here's what I did.
> > > > I made interface for postfix.
> > > >
> > > > ########################################
> > > > ## <summary>
> > > > ## for xoops sending mail from postfix.
> > > > ## </summary>
> > > > ## <param name="domain">
> > > > ## Domain allowed to sending mails.
> > > > ## </param>
> > > > #
> > > >
> > > > interface(`xoops_send_mail_by_postfix',`
> > > > gen_require(`
> > > > type bin_t;
> > > > type smtp_port_t;
> > > > type sendmail_exec_t;
> > > > ')
> > > > allow $1 bin_t:dir search;
> > > > allow $1 smtp_port_t:tcp_socket { name_connect send_msg
> > > > recv_msg };
> > > > allow $1 sendmail_exec_t:file { execute execute_no_trans
> > > getattr
> > > > read };
> > > > ')
> > > >
> > >
> > > If you have the full reference policy source you should use defined
> > > interfaces instead of breaking encapsulation of the types. For example,
> > > you can rewrite your interface without any requires as:
> > >
> > > interface(`xoops_send_mail_by_postfix',`
> > >
> > > corecmd_search_bin($1)
> > >
> > > corenet_tcp_connect_smtp_port($1)
> > > corenet_tcp_sendrecv_smtp_port($1)
> > >
> > > mta_exec($1)
> > > ')
> > >
> > > David
> >
> > Thanks !
> >
> > That's what I'm aiming at in near future.
> >
> > As a matter of fact, I printed every interfaces and felt at a loss,
> > because of its thickness.
> >
> > In what page or Software can I find those defined interfaces ?
> > SLIDE ?
> >
> > I once wrote such a software named segatex...
> >
> > Why audit2allow is just echoing raw access vectors and not interfaces ?
> > I think if audit2allow has such an option, it would be more convenient
> > and rewarding.
>
> audit2allow -R will attempt to match interfaces, albeit imperfectly.
>
Thanks for letting me know.
I found new refpolicy using many interfaces.
As a means of generating interfaces from raw denied messages,
I worked on one .if file a test to break up interfaces.
By this process, I think I can match audit.log to interfaces.
Although incomplete, it looks like this...
I will break up till I get access vectors.
...
...
interface(`acct_domtrans',`
gen_require(`
#type acct_t, acct_exec_t;
type acct_t, acct_exec_t, bin_t;
')
#corecmd_search_bin($1)
#search_dirs_pattern($1,bin_t,bin_t)
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:dir search_dir_perms;
#domtrans_pattern($1,acct_exec_t,acct_t)
#domain_auto_transition_pattern($1,$2,$3)
#domain_transition_pattern($1,$2,$3)
#allow $1 $2:file { getattr read
execute };
allow $1 acct_exec_t:file { getattr read
execute };
#allow $1 $3:process transition;
allow $1 acct_t:process transition;
#dontaudit $1 $3:process { noatsecure
siginh rlimitinh };
dontaudit $1 acct_t:process { noatsecure
siginh rlimitinh };
#type_transition $1 $2:process $3;
type_transition $1 acct_exec_t:process acct_t;
#allow $3 $1:fd use;
allow acct_t $1:fd use;
#allow $3 $1:fifo_file rw_file_perms;
allow acct_t $1:fifo_file rw_file_perms;
#allow $3 $1:process sigchld;
allow acct_t $1:process sigchld;
')
...
...
More information about the fedora-selinux-list
mailing list