there are time you need to run 'postconf' to check postfix configuration. with the default sec-policy/selinux-postfix, I'll get denied: Sep 19 13:14:43 nebula audit(1095624883.519:0): avc: denied { execute } for pid=27695 exe=/bin/bash name=postconf dev=sda3 ino=673978 scontext=tvan:sysadm_r:sysadm_t tcontext=system_u:object_r:postfix_master_exec_t tclass=file Sep 19 13:14:43 nebula audit(1095624883.519:0): avc: denied { read } for pid=27695 exe=/bin/bash name=postconf dev=sda3 ino=673978 scontext=tvan:sysadm_r:sysadm_t tcontext=system_u:object_r:postfix_master_exec_t tclass=file my workaround atm is to add: allow sysadm_t postfix_master_exec_t:file { execute execute_no_trans getattr read }; in domain/program/my.te I am just a selinux newbie so I don't know if the above line will made my system less secure. Please advise.
this is probably ok. we'll have to check for updates upstream
if this postconf binary is only used by sysadm_t to check the active configuration, we could also label it bin_t. in this case there is no need to change the policy. can you please tell me if this binary is ever used for anything else than just verification of the configuration parameters?
Petre, postconf, and postmap need to be labeled "postfix_master_exec_t" but sysadm_r should be able to run them also.
I got a response from upstream, http://marc.theaimsgroup.com/?l=selinux&m=109748288127771&w=2 please be so kind and see if the merged version works on your system (I'm not used to this MTA): http://dev.gentoo.org/~kaiowas/distfiles/selinux-postfix-20041015.tar.bz2 if you have any problems with this version I would be happy to send your comments upstream. if you want to see a diff between the gentoo policy and the merged one, here it is: http://dev.gentoo.org/~kaiowas/patches/selinux-postfix.diff bye, peter
in CVS
