> On Wed, 2007-07-04 at 08:16 +0900, Shintaro Fujiwara wrote: > > > Hi, > > > > > > > -----Original Message----- > > > > From: fedora-selinux-list-bounces@xxxxxxxxxx > > > [mailto:fedora-selinux-list- > > > > bounces@xxxxxxxxxx] On Behalf Of Shintaro Fujiwara > > > > Sent: Monday, July 02, 2007 2:48 PM > > > > To: fedora-selinux-list > > > > Subject: Re: httpd can't send mails > > > > > > > > > > > > If you using postfix, here's what I did. > > > > I made interface for postfix. > > > > > > > > ######################################## > > > > ## <summary> > > > > ## for xoops sending mail from postfix. > > > > ## </summary> > > > > ## <param name="domain"> > > > > ## Domain allowed to sending mails. > > > > ## </param> > > > > # > > > > > > > > interface(`xoops_send_mail_by_postfix',` > > > > gen_require(` > > > > type bin_t; > > > > type smtp_port_t; > > > > type sendmail_exec_t; > > > > ') > > > > allow $1 bin_t:dir search; > > > > allow $1 smtp_port_t:tcp_socket { name_connect send_msg > > > > recv_msg }; > > > > allow $1 sendmail_exec_t:file { execute execute_no_trans > > > getattr > > > > read }; > > > > ') > > > > > > > > > > If you have the full reference policy source you should use defined > > > interfaces instead of breaking encapsulation of the types. For example, > > > you can rewrite your interface without any requires as: > > > > > > interface(`xoops_send_mail_by_postfix',` > > > > > > corecmd_search_bin($1) > > > > > > corenet_tcp_connect_smtp_port($1) > > > corenet_tcp_sendrecv_smtp_port($1) > > > > > > mta_exec($1) > > > ') > > > > > > David > > > > Thanks ! > > > > That's what I'm aiming at in near future. > > > > As a matter of fact, I printed every interfaces and felt at a loss, > > because of its thickness. > > > > In what page or Software can I find those defined interfaces ? > > SLIDE ? > > > > I once wrote such a software named segatex... > > > > Why audit2allow is just echoing raw access vectors and not interfaces ? > > I think if audit2allow has such an option, it would be more convenient > > and rewarding. > > audit2allow -R will attempt to match interfaces, albeit imperfectly. > Thanks for letting me know. I found new refpolicy using many interfaces. As a means of generating interfaces from raw denied messages, I worked on one .if file a test to break up interfaces. By this process, I think I can match audit.log to interfaces. Although incomplete, it looks like this... I will break up till I get access vectors. ... ... interface(`acct_domtrans',` gen_require(` #type acct_t, acct_exec_t; type acct_t, acct_exec_t, bin_t; ') #corecmd_search_bin($1) #search_dirs_pattern($1,bin_t,bin_t) allow $1 bin_t:dir search_dir_perms; allow $1 bin_t:dir search_dir_perms; #domtrans_pattern($1,acct_exec_t,acct_t) #domain_auto_transition_pattern($1,$2,$3) #domain_transition_pattern($1,$2,$3) #allow $1 $2:file { getattr read execute }; allow $1 acct_exec_t:file { getattr read execute }; #allow $1 $3:process transition; allow $1 acct_t:process transition; #dontaudit $1 $3:process { noatsecure siginh rlimitinh }; dontaudit $1 acct_t:process { noatsecure siginh rlimitinh }; #type_transition $1 $2:process $3; type_transition $1 acct_exec_t:process acct_t; #allow $3 $1:fd use; allow acct_t $1:fd use; #allow $3 $1:fifo_file rw_file_perms; allow acct_t $1:fifo_file rw_file_perms; #allow $3 $1:process sigchld; allow acct_t $1:process sigchld; ') ... ... -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
