Would someone on this list be able to take a moment to give me a sanity check and tell me if I'm on the right track? I'm configuring a RHEL4 server to be an Internet-facing web/mail server. It will run httpd, postfix, and courier-imap. Most application logic (including any requirement for SQL access) will live on other servers that I'm not concerned about in the context of SELinux, but this web server will probably have to run one PHP application (Blog:CMS). I desire this web server to be as secure as possible. I have not yet mastered the intricacies of SELinux (but I'm working on that), and I thought that by using Red Hat's targeted SELinux policy I'd have a head start. I also thought this would leverage my investment in the Red Hat Enterprise Linux support contract, being able to turn to Red Hat support for help. I have since found out that my support agreement (SLA) does not cover any SELinux issues arising from a modified targeted policy. And right out of the chute I see that I can't live with the targeted policy as delivered, and need to tweak it. For example, this server uses syslog-ng, and the targeted policy is already complaining. Red Hat's SELinux Guide offers instructions on how to add rules to local.te to get around minor issues like this, and I'm willing to do that, but then I'll have no support from Red Hat directly. I also anticipate that my httpd config may require some policy tweaks (e.g., I'm thinking of putting Apache logs in a non-standard location). Next, the delivered targeted policy doesn't constrain postfix (it seems to reference postfix, but then aliases it to unconfined). Again, the Guide suggests I could write new policy specifically for something like postfix, in essence extending the targeted policy. Interestingly, I see that the gentoo project has a whole bunch of SELinux policies available, including one for postfix. A side question I have is: does it make sense to adapt/use the policies available in the gentoo project to extend the targeted policy for new processes, or is that a bad idea? I'm assuming that the RHEL targeted policy and the FC policy, the subject of this mailing list, are one and the same, and therefore I'm not out of line coming to this list. Am I correct? As a RHEL user rather than a FC user can I still use this list as a resource? OK, here's my fundamental question: Given what I'm trying to achieve, is my proper approach to start tweaking and extending the delivered targeted policy? Is that commonly done, or should I be looking at some other strategy to meet my needs? I'll be grateful for any advice anyone would like to offer. TIA --Gary Kopp -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
