Getting postfix + procmail + selinux to work is hard as : - the postfix bits are exposed to the external world so they have tight permissions - procmail is essentially a script multiplexer, not good at all from a security perspective every action added to the procmailrc needs to have been predicted, audited and authorized by the policy authors - procmailrc is in /home, default policy dontaudits a lot of the stuff happening there - selinux policy authors don't seem to run or test this combo I spent weeks reporting bugs on this before FC5 - every selinux update seemed to break procmail + postfix in new mysterious ways. If you find the time to get the Fedora Devel policy ironed out for postfix + procmail and manage somewhat to convince policy authors to check they don't break it every other release I'll be very grateful. I don't have too much time nowadays so I've stopped testing for a few months -- Nicolas Mailhot
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
