On 07/23/2009 05:03 AM, Christoph Höger wrote: > Hi, > > this is a rather special use case, but I think it is valid. According to > Pauls hints at > http://marilyn.frields.org:8080/~paul/wordpress/?p=2616 > I configured postfix to relay my local mail via some mail servers. But > since I like a clean approach I did not want the sasl_password files > in /etc/ so that the admin (me) has to handle plain text passwords > there. > > Postfix seems to support multiple db files at arbitrary positions. But > SELinux does not. I guess the transition to postfix_smtp_t is a little > too early (before chroot). So I changed the context of my sasl_passwd > files to postfix_smtp_t, just to notice that: > > 1. I (as a user) cannot do this > 2. After I did it nevertheless I cannot edit those files > > So here is my proposal: > > Introduce postfix_userconfig_t and let postfix_smtp_t read it, and allow > transitions and read/write access from unconfined_t to it. I know that > this is suboptimal because it effectively becomes unconfinded_t, but > since the admin _must_ add those files to /etc/postfix/main.cf (and > should allow only harmless files) I guess that this is ok. > > any objections or shall I try to write a patch for the policy? > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list What was the AVC you were seeing that caused you to make this change? -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
