Stefan Schulze Frielinghaus wrote:
I ran audit2allow -M which produced the following policy:
module postfixSendmail 1.0;
require {
type system_mail_t;
type usr_t;
class file read;
}
#============= system_mail_t ==============
allow system_mail_t usr_t:file read;
I don't think allowing postfix.sendmail to read all files of type usr_t
is the right thing to do, yet, I do need to allow postfix.sendmail to
read the GeoIP data file.
Any suggestions?
I think it's not a big problem allowing _read_ of usr_t files. If you
really want to separate these files from others you could create a new
type. But like I already mentioned usr_t files do not hold any
confidential information (or at least they shouldn't). IMHO I would
allow read access.
-Stefan
--
+ you could also add into equation the good old pre-selinux attributes
and allow postfix.sendmail to read only from the desired dir. either
setfacl or chmod o-rwx plus chgrp (or variants of this combination)
would help here.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
