Re: postfix sendmail and GeoIP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2008-01-16 at 09:55 -0500, John Griffiths wrote:
> I use postfix and installed GeoIP so that country of origin can be 
> determined from the IP. postfix.sendmail is constrained so that it 
> cannot read the GeoIP database file, /usr/share/GeoIP/GeoIP.dat .
> 
> The AVC is:
> 
>     avc: denied { read } for comm=sendmail dev=dm-0 egid=48 euid=48
>     exe=/usr/sbin/sendmail.postfix exit=0 fsgid=48 fsuid=48 gid=48
>     items=0 path=/usr/share/GeoIP/GeoIP.dat pid=27728
>     scontext=system_u:system_r:system_mail_t:s0 sgid=48
>     subj=system_u:system_r:system_mail_t:s0 suid=48 tclass=file
>     tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=48
> 
> 
> I ran audit2allow -M  which produced the following policy:
> 
>     module postfixSendmail 1.0;
> 
>     require {
>             type system_mail_t;
>             type usr_t;
>             class file read;
>     }
> 
>     #============= system_mail_t ==============
>     allow system_mail_t usr_t:file read;
> 
> I don't think allowing postfix.sendmail to read all files of type usr_t 
> is the right thing to do, yet, I do need to allow postfix.sendmail to 
> read the GeoIP data file.
> 
> Any suggestions?

I think it's not a big problem allowing _read_ of usr_t files. If you
really want to separate these files from others you could create a new
type. But like I already mentioned usr_t files do not hold any
confidential information (or at least they shouldn't). IMHO I would
allow read access.

-Stefan

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux