Re: postfix_smtp_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/23/2009 05:03 AM, Christoph Höger wrote:
> Hi,
> 
> this is a rather special use case, but I think it is valid. According to
> Pauls hints at
>  http://marilyn.frields.org:8080/~paul/wordpress/?p=2616
> I configured postfix to relay my local mail via some mail servers. But
> since I like a clean approach I did not want the sasl_password files
> in /etc/ so that the admin (me) has to handle plain text passwords
> there. 
> 
> Postfix seems to support multiple db files at arbitrary positions. But
> SELinux does not. I guess the transition to postfix_smtp_t is a little
> too early (before chroot). So I changed the context of my sasl_passwd
> files to postfix_smtp_t, just to notice that:
> 
> 1. I (as a user) cannot do this
> 2. After I did it nevertheless I cannot edit those files
> 
> So here is my proposal:
> 
> Introduce postfix_userconfig_t and let postfix_smtp_t read it, and allow
> transitions and read/write access from unconfined_t to it. I know that
> this is suboptimal because it effectively becomes unconfinded_t, but
> since the admin _must_ add those files to /etc/postfix/main.cf (and
> should allow only harmless files) I guess that this is ok.
> 
> any objections or shall I try to write a patch for the policy?
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What was the AVC you were seeing that caused you to make this change?

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux