RE: httpd can't send mails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Thu, 2007-07-05 at 22:46 +0900, Shintaro Fujiwara wrote:
> > > On Wed, 2007-07-04 at 08:16 +0900, Shintaro Fujiwara wrote:
> > > > > Hi,
> > > > > 
> > > > > > -----Original Message-----
> > > > > > From: fedora-selinux-list-bounces@xxxxxxxxxx
> > > > > [mailto:fedora-selinux-list-
> > > > > > bounces@xxxxxxxxxx] On Behalf Of Shintaro Fujiwara
> > > > > > Sent: Monday, July 02, 2007 2:48 PM
> > > > > > To: fedora-selinux-list
> > > > > > Subject: Re: httpd can't send mails
> > > > > > 
> > > > > > 
> > > > > > If you using postfix, here's what I did.
> > > > > > I made interface for postfix.
> > > > > > 
> > > > > > ########################################
> > > > > > ## <summary>
> > > > > > ##      for xoops sending mail from postfix.
> > > > > > ## </summary>
> > > > > > ## <param name="domain">
> > > > > > ##      Domain allowed to sending mails.
> > > > > > ## </param>
> > > > > > #
> > > > > > 
> > > > > > interface(`xoops_send_mail_by_postfix',`
> > > > > >         gen_require(`
> > > > > >                 type bin_t;
> > > > > >                 type smtp_port_t;
> > > > > >                 type sendmail_exec_t;
> > > > > >         ')
> > > > > >         allow $1 bin_t:dir search;
> > > > > >         allow $1 smtp_port_t:tcp_socket { name_connect send_msg
> > > > > > recv_msg };
> > > > > >         allow $1 sendmail_exec_t:file { execute execute_no_trans
> > > > > getattr
> > > > > > read };
> > > > > > ')
> > > > > > 
> > > > > 
> > > > > If you have the full reference policy source you should use defined
> > > > > interfaces instead of breaking encapsulation of the types. For example,
> > > > > you can rewrite your interface without any requires as:
> > > > > 
> > > > > interface(`xoops_send_mail_by_postfix',`
> > > > > 
> > > > >         corecmd_search_bin($1)
> > > > > 
> > > > >         corenet_tcp_connect_smtp_port($1)
> > > > >         corenet_tcp_sendrecv_smtp_port($1)
> > > > > 
> > > > >         mta_exec($1)
> > > > > ')
> > > > > 
> > > > > David
> > > > 
> > > > Thanks !
> > > > 
> > > > That's what I'm aiming at in near future.
> > > > 
> > > > As a matter of fact, I printed every interfaces and felt at a loss,
> > > > because of its thickness.
> > > > 
> > > > In what page or Software can I find those defined interfaces ?
> > > > SLIDE ?
> > > > 
> > > > I once wrote such a software named segatex...
> > > > 
> > > > Why audit2allow is just echoing raw access vectors and not interfaces ?
> > > > I think if audit2allow has such an option, it would be more convenient
> > > > and rewarding.
> > > 
> > > audit2allow -R will attempt to match interfaces, albeit imperfectly.
> > > 
> > 
> > Thanks for letting me know.
> > I found new refpolicy using many interfaces.
> > As a means of generating interfaces from raw denied messages,
> > I worked on one .if file a test to break up interfaces.
> > By this process, I think I can match audit.log to interfaces.
> > Although incomplete, it looks like this...
> > I will break up till I get access vectors.
> 
> Not sure what you are trying to do, but just look at sepolgen to see how
> it is matching audit messages to interfaces.  You can re-use that
> support.

Thanks !

I will make use of every way I can take.
SLIDE or sepolgen would by nice, but I want to play on my project for
a while.
Just looking at those "support" or "modules" directories can make one
understand SELinux better and I'm really having fun.
 


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux