> I haven't worked on the postfix pipe policy, but it seems like the only > thing it can execute at the moment is procmail. How is that determined? I can't find a single reference to procmail anywhere in the SELinux targeted configuration, and procmail doesn't seem to have any special context: # ls --lcontext /usr/bin/procmail -rwxr-xr-x 1 system_u:object_r:bin_t root mail 100680 Mar 18 2005 /usr/bin/procmail > I would say: > - the type mailman_queue_exec_t looks wrong for that file - how did it > get this type? I'm not sure, actually. Should it just be system_u:object_r:bin_t? > - the file /usr/lib/mailman/mail (which your script runs) appears to be > a SGID executable to group mailman which runs other [mailman] programs. > It has type lib_t, which is incorrect. I think whatever regexps are > currently used in policy are overly generic, and misclassify lots of > things as lib_t. Should I change its context to system_u:object_r:bin_t? > In the short run, maybe a macro can be added to postfix that takes a > domain and allows postfix_pipe to run that. Makes sense. I don't have any idea how to do it, though perhaps I can find time this weekend to study the O'Reilly book more. Thanks! Eric -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
