selinux fixfiles context

Russell Coker russell at coker.com.au
Thu Apr 15 13:10:35 UTC 2004


On Thu, 15 Apr 2004 22:58, shmuel siegel <fedora at shmuelhome.mine.nu> wrote:
> In my environment, I am a little bit afraid of enforcing mode. I am
> running a non-critical mail server on my computer. It wouldn't bother me
> if the mail server didn't work but what would be unacceptable is if the
> server accepted mail and then couldn't write it to permanent storage. Is
> there anything that I can do to assure that I don't give false positives
> to received mail?

A correctly implemented mail server will not acknowledge receipt of a message 
until it is written to a queue file.  Therefore if SE Linux blocks the queue 
file write the mail server will send a 45x code (try again later).

If SE Linux blocks writing to the delivery location (home directory 
or /var/spool/mail) then the mail server may either bounce the message 
instantly or re-try the message for a few days before bouncing it.

If the mail server is unable to deliver or bounce the message then it could 
get lost.  If SE Linux permits writing to the queue then it's very unlikely 
that it would prevent sending a bounce message.  So the worst-case scenario 
for SE Linux and email is likely to be a bounce (at least the sender will 
know to re-send it).

But checking the system logs for AVC messages related to mail delivery is easy 
enough, so when you put the machine in enforcing mode you should be 
reasonably confident that it will work due to a lack of AVC messages.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page





More information about the fedora-test-list mailing list