On Mon, 2009-08-03 at 10:20 +1000, Scott Radvan wrote: > Hi, > > > Working on the Postfix chapter in my SELinux managing confined services > book [0] and am having trouble with Postfix/spamassassin. > > I have got email traversing back and forth just fine, but I am trying to > invoke a denial or a problem for which I can document the work-around. > spamassassin_can_network seems to be a good Boolean to explain, show > the denial and then show the work-around for. > > This Boolean is off by default, which as far as I can tell would stop > spamassassin from launching as a daemon listening on the machine's > actual IP/interface. > > But my problem is that it is launching without a problem and listening > on the machine's interface without error. I am assuming that it is > working fine because the spamassassin processes are only launching as > initrc_t, when it should be transitioning to something else..? > > # ps -eZ | grep spamd > unconfined_u:system_r:initrc_t:s0 3085 ? 00:00:01 spamd > unconfined_u:system_r:initrc_t:s0 3087 ? 00:00:00 spamd > unconfined_u:system_r:initrc_t:s0 3088 ? 00:00:00 spamd > > # ls -lZ /etc/init.d/spamassassin > -rwxr-xr-x. > rootrootsystem_u:object_r:initrc_exec_t:s0 /etc/init.d/spamassassin > > (I tried labelling this differently to this default setting, to > spamd_initrc_exec_t, but to no avail.) > > # getsebool -a | grep spam > spamassassin_can_network --> off > spamd_enable_home_dirs --> on > > Basically I need to make sure spamassassin is starting normally so that > the Boolean mentioned will block access. So any help is appreciated, > should spamassassin as a daemon transition to something other than > initrc_t? And how do I get it to do so? > > Or am I going down the wrong track to get this Boolean which is off by > default to do something which I can demonstrate and fix? > > Thank you, Not sure but probably a bug. This is a application domain. i cannot find a init_daemon_domain declaration, meaning initrc_t does not transition. There is a spamassassin_role() in the interface file with a transition defined for users however this interface is probably not called by the user domains. hth So first see if you can get it to run in its domain by restoring the locations mentioned under contexts. If that does
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list