Re: SeLinux and mail relaying

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



redhatdude@xxxxxxxxxxxxx wrote:

So far no answer from the selinux list, it doesn't seem to have much activity that list. Can someone here help me out with this issue? Thanks, EJ On Jul 7, 2006, at 4:15 PM, Paul Howarth wrote:

On Fri, 2006-07-07 at 14:13 -0400, redhatdude@xxxxxxxxxxxxx wrote:
Hi,
While trying to set up a mail cgi script, I discovered that Selinux
is not allowing relaying mail from anything but postfix. I realized
this when I turned off selinux and I started getting the result of
cron jobs and other similar system emails.
So my question is ,  how can I make selinux allow programs other than
postfix and cyrus to relay emails?

You need to raise this on fedora-selinux-list.

If it's a policy issue, the right people will see it there.

Paul.




Lots of differences between our two setups since I'm running sendmail and you're running postfix but I ran into a similar problem when I wanted to get DSPAM working. The following are the rulesets that "audit2allow" came up with to make things work:

cat /etc/selinux/targeted/src/policy/domains/misc/local.te
allow httpd_sys_script_t httpd_t:dir getattr;
allow httpd_sys_script_t initrc_t:dir getattr;
allow httpd_sys_script_t initrc_var_run_t:file read;
allow httpd_sys_script_t mysqld_t:dir getattr;
allow httpd_sys_script_t ntpd_t:dir getattr;
allow httpd_sys_script_t portmap_t:dir getattr;
allow httpd_sys_script_t syslogd_t:dir getattr;
# Next generated by audit2allow but causes compilation error.  DSPAM appears
# to work OK without it.
# allow httpd_sys_script_t unconfined_t:dir getattr;
allow httpd_sys_script_t usr_t:dir { add_name remove_name write };
allow httpd_sys_script_t usr_t:file { append create lock unlink write };
allow httpd_t httpd_sys_content_t:file execute;
allow ndc_t named_zone_t:file { getattr read };
allow httpd_sys_script_t httpd_t:dir search;
allow httpd_sys_script_t initrc_t:dir search;
allow httpd_sys_script_t initrc_var_run_t:file lock;
allow httpd_sys_script_t mysqld_t:dir search;
allow httpd_sys_script_t ntpd_t:dir search;
allow httpd_sys_script_t portmap_t:dir search;
allow httpd_sys_script_t syslogd_t:dir search;

You can see from my comments that this was somewhat of a trial and error approach to making DSPAM work. For DSPAM, I also had to play with regular directory permissions and ownership within /var/spool/mail and the DSPAM directories. Finally, my regular admin mail (cron jobs, logwatch, etc.) all worked fine without these rule changes so it sounds like you may have other SELinux issues.

Put the rules into /etc/selinux/targeted/src/policy/domains/misc/local.te and then do a make, make install in /etc/selinux/targeted/src/policy/. If these rules don't work, you can use the same methodology I used: turn off SELinux enforcement and perform the actions you're interested in then run audit2allow to see what local rules you need. Be advised that the local rules that audit2allow creates may be loser than necessary and may open a vulnerability.

Cheers,
Dave

--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux