On Wed, 2008-01-16 at 09:55 -0500, John Griffiths wrote:
> I use postfix and installed GeoIP so that country of origin can be
> determined from the IP. postfix.sendmail is constrained so that it
> cannot read the GeoIP database file, /usr/share/GeoIP/GeoIP.dat .
>
> The AVC is:
>
> avc: denied { read } for comm=sendmail dev=dm-0 egid=48 euid=48
> exe=/usr/sbin/sendmail.postfix exit=0 fsgid=48 fsuid=48 gid=48
> items=0 path=/usr/share/GeoIP/GeoIP.dat pid=27728
> scontext=system_u:system_r:system_mail_t:s0 sgid=48
> subj=system_u:system_r:system_mail_t:s0 suid=48 tclass=file
> tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=48
>
>
> I ran audit2allow -M which produced the following policy:
>
> module postfixSendmail 1.0;
>
> require {
> type system_mail_t;
> type usr_t;
> class file read;
> }
>
> #============= system_mail_t ==============
> allow system_mail_t usr_t:file read;
>
> I don't think allowing postfix.sendmail to read all files of type usr_t
> is the right thing to do, yet, I do need to allow postfix.sendmail to
> read the GeoIP data file.
>
> Any suggestions?
I think it's not a big problem allowing _read_ of usr_t files. If you
really want to separate these files from others you could create a new
type. But like I already mentioned usr_t files do not hold any
confidential information (or at least they shouldn't). IMHO I would
allow read access.
-Stefan
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
