postfix_smtp_t
Daniel J Walsh
dwalsh at redhat.com
Thu Jul 23 20:07:36 UTC 2009
On 07/23/2009 05:03 AM, Christoph Höger wrote:
> Hi,
>
> this is a rather special use case, but I think it is valid. According to
> Pauls hints at
> http://marilyn.frields.org:8080/~paul/wordpress/?p=2616
> I configured postfix to relay my local mail via some mail servers. But
> since I like a clean approach I did not want the sasl_password files
> in /etc/ so that the admin (me) has to handle plain text passwords
> there.
>
> Postfix seems to support multiple db files at arbitrary positions. But
> SELinux does not. I guess the transition to postfix_smtp_t is a little
> too early (before chroot). So I changed the context of my sasl_passwd
> files to postfix_smtp_t, just to notice that:
>
> 1. I (as a user) cannot do this
> 2. After I did it nevertheless I cannot edit those files
>
> So here is my proposal:
>
> Introduce postfix_userconfig_t and let postfix_smtp_t read it, and allow
> transitions and read/write access from unconfined_t to it. I know that
> this is suboptimal because it effectively becomes unconfinded_t, but
> since the admin _must_ add those files to /etc/postfix/main.cf (and
> should allow only harmless files) I guess that this is ok.
>
> any objections or shall I try to write a patch for the policy?
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What was the AVC you were seeing that caused you to make this change?
More information about the fedora-selinux-list
mailing list