Please be so kind and consider patching all current and future qmail ebuilds with the attached diff. This will ensure correct functioning of the product in a SELinux environment. thanks, peter
Created attachment 38962 [details, diff] ebuild patch
Created attachment 39002 [details, diff] ebuild patch
This needs to go to the ebuild maintainer to add the deps
is this suitable for all of the qmail ebuilds {qmail,qmail-mysql,qmail-mysql}?
only mail-mta/qmail for the time being other flavors were not yet tested (by me) in SELinux
The policy for daemontools seems to be broken. With these packages: sec-policy/selinux-base-policy-20041023 sec-policy/selinux-qmail-20041018 mail-mta/qmail-1.03-r15 sec-policy/selinux-daemontools-20041111 sys-apps/daemontools-0.76-r4 sys-libs/libselinux-1.18 and linux kernel 2.6.7-hardened-r10 (using policy version 17), I get this: avc: denied { dac_override } for pid=17704 exe=/usr/bin/supervise capability=1 scontext=system_u:system_r:svc_start_t tcontext=system_u:system_r:svc_start_t tclass=capability avc: denied { dac_override } for pid=7621 exe=/usr/bin/supervise capability=1 scontext=system_u:system_r:svc_start_t tcontext=system_u:system_r:svc_start_t tclass=capability /service/qmail-send is a symlink to /var/qmail/supervise/qmail-send and supervise is trying to start the run script here. Additionally, svstat cannot be run in sysadm_r (Permission denied): avc: denied { execute } for pid=2796 exe=/bin/bash name=svstat dev=hda6 ino=7498995 scontext=adustman:sysadm_r:sysadm_t tcontext=system_u:object_r:svc_start_exec_t tclass=file avc: denied { read } for pid=2796 exe=/bin/bash name=svstat dev=hda6 ino=7498995 scontext=adustman:sysadm_r:sysadm_t tcontext=system_u:object_r:svc_start_exec_t tclass=file I'm guessing that there needs to be an auto-transition from sysadm_t to svc_start_exec_t somewhere in daemontools.tc, something like this: domain_auto_trans(sysadm_t, svc_start_exec_t, svc_start_t) Unfortunately, I am out of time to test this theory (this is about the 4th revision of this comment already).
andy: open a new bug assigned to me with your problem and remember to never change the topic of existing bug reports. I happen to use those policies on 9 production servers, so I'm pretty sure the policies are not 'broken'. net-mail: can you please fix this one? you only have to write a RDEPEND for selinux as in the attached ebuild example.
RDEPEND change in CVS.
# Michael Hanselmann <hansmi@gentoo.org> (15 Mar 2007) # mail-mta/qmail has been superseeded by mail-mta/netqmail. # Pending removal mid April. Please advise me about mail-mta/netqmail. How to use selinux policy with netqmail package? Is compatible? P.S: >>> Original instance of package unmerged safely. * Inserting the following modules into the strict module store: qmail * Inserting the following modules into the targeted module store: qmail libsepol.expand_module: Error while indexing out symbols libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! >>> sec-policy/selinux-qmail-20061114 merged.
the qmail policy should be compatible with the new netqmail package. > libsepol.expand_module: Error while indexing out symbols > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! this is an error generated when some targeted policy modules are loaded. it's not a bug in the policy itself, maybe chris has more details about this.