Hi, this is a rather special use case, but I think it is valid. According to Pauls hints at http://marilyn.frields.org:8080/~paul/wordpress/?p=2616 I configured postfix to relay my local mail via some mail servers. But since I like a clean approach I did not want the sasl_password files in /etc/ so that the admin (me) has to handle plain text passwords there. Postfix seems to support multiple db files at arbitrary positions. But SELinux does not. I guess the transition to postfix_smtp_t is a little too early (before chroot). So I changed the context of my sasl_passwd files to postfix_smtp_t, just to notice that: 1. I (as a user) cannot do this 2. After I did it nevertheless I cannot edit those files So here is my proposal: Introduce postfix_userconfig_t and let postfix_smtp_t read it, and allow transitions and read/write access from unconfined_t to it. I know that this is suboptimal because it effectively becomes unconfinded_t, but since the admin _must_ add those files to /etc/postfix/main.cf (and should allow only harmless files) I guess that this is ok. any objections or shall I try to write a patch for the policy?
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
