I use postfix and installed GeoIP so that country of origin can be
determined from the IP. postfix.sendmail is constrained so that it
cannot read the GeoIP database file, /usr/share/GeoIP/GeoIP.dat .
The AVC is:
avc: denied { read } for comm=sendmail dev=dm-0 egid=48 euid=48
exe=/usr/sbin/sendmail.postfix exit=0 fsgid=48 fsuid=48 gid=48
items=0 path=/usr/share/GeoIP/GeoIP.dat pid=27728
scontext=system_u:system_r:system_mail_t:s0 sgid=48
subj=system_u:system_r:system_mail_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=48
I ran audit2allow -M which produced the following policy:
module postfixSendmail 1.0;
require {
type system_mail_t;
type usr_t;
class file read;
}
#============= system_mail_t ==============
allow system_mail_t usr_t:file read;
I don't think allowing postfix.sendmail to read all files of type usr_t
is the right thing to do, yet, I do need to allow postfix.sendmail to
read the GeoIP data file.
Any suggestions?
Regards,
John
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
