On Wed, 2008-01-16 at 09:55 -0500, John Griffiths wrote:
> I use postfix and installed GeoIP so that country of origin can be
> determined from the IP. postfix.sendmail is constrained so that it
> cannot read the GeoIP database file, /usr/share/GeoIP/GeoIP.dat .
>
> The AVC is:
>
> avc: denied { read } for comm=sendmail dev=dm-0 egid=48 euid=48
> exe=/usr/sbin/sendmail.postfix exit=0 fsgid=48 fsuid=48 gid=48
> items=0 path=/usr/share/GeoIP/GeoIP.dat pid=27728
> scontext=system_u:system_r:system_mail_t:s0 sgid=48
> subj=system_u:system_r:system_mail_t:s0 suid=48 tclass=file
> tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=48
>
>
> I ran audit2allow -M which produced the following policy:
>
> module postfixSendmail 1.0;
>
> require {
> type system_mail_t;
> type usr_t;
> class file read;
> }
>
> #============= system_mail_t ==============
> allow system_mail_t usr_t:file read;
>
> I don't think allowing postfix.sendmail to read all files of type usr_t
> is the right thing to do, yet, I do need to allow postfix.sendmail to
> read the GeoIP data file.
>
> Any suggestions?
>
> Regards,
> John
>
> --
If you want the resource to have its own type you could modify the
policy you have to look like something below. Note this hasn't been
tested in any way so your mileage may vary. The the fc file will make
sure that the file gets relabeled properly. I haven't worked with
modular policy much so I may have missed something.
postfixSendmail.te
module postfixSendmail 1.0;
require {
type system_mail_t;
class file read;
}
type geoip_usr_t;
#============= system_mail_t ==============
allow system_mail_t geoip_usr_t:file read;
postfixSendmail.fc
/usr/share/GeoIP/GeoIP.dat -- sustem_u:object_r:geoip_usr_t:s0
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
