On Tue, 2008-02-19 at 14:00 -0500, Daniel J Walsh wrote:
> if you
>
> chcon -t mailman_mail_exec_t /usr/lib/mailman/mail/mailman
>
> Does it work?
Yes, I assume so, as there is no output complaining that it failed, and:
# ls -lZ /usr/lib/mailman/mail/mailman
-rwxr-sr-x root mailman
system_u:object_r:mailman_mail_exec_t:s0 /usr/lib/mailman/mail/mailman
> Ok could you run
>
> # grep mailman /var/log/audit/audit.log | audit2allow -M mymailman
> # semodule -i mymailman.pp
Thanks. This appears to have fixed the problem. I have not
exhaustively tested, but everything appears to be working now. I see
that there is a mymailman.te file created as a result of the above.
This file contains the text:
module mymailman 1.0;
require {
type sendmail_t;
type mailman_log_t;
type mailman_data_t;
class dir { write remove_name search add_name };
class file { write rename getattr read create append };
}
#============= sendmail_t ==============
allow sendmail_t mailman_data_t:dir { write remove_name add_name };
allow sendmail_t mailman_data_t:file { write rename getattr create };
allow sendmail_t mailman_log_t:dir search;
allow sendmail_t mailman_log_t:file { read getattr append };
Am I the first to try to get mailman and sendmail working together under
selinux with Fedora? Either way, something resembling the above should
probably become a default policy, as, if I'm the first I won't be the
last! What can I do to help refine the above into a genuine and
genuinely useful policy?
I am clearly still learning about selinux!
Thanks,
Eddie
--
Edward Kuns <ekuns@xxxxxxxxxxxxxxxx>
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
