On 12/02/2009 06:57 PM, Roland Roberts wrote:
Okay, here's what I finally ended up with that have me running in
enforcing mode. I have both dovecot and exim using PostgreSQL for
authentication. I had originally had them connecting via tcp, but
changed them to use the unix domain socket. The policies below allow
either.
[...]
module eximfixes 1.0;
require {
type postgresql_tmp_t;
type exim_t;
type postgresql_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= exim_t ==============
allow exim_t postgresql_t:unix_stream_socket connectto;
allow exim_t postgresql_tmp_t:sock_file write;
module httpdfixes 1.0;
require {
type postgresql_port_t;
type httpd_t;
type pop_port_t;
class tcp_socket { name_bind name_connect };
}
#============= httpd_t ==============
allow httpd_t pop_port_t:tcp_socket { name_bind name_connect };
allow httpd_t postgresql_port_t:tcp_socket name_connect;
The above are not actually necessary; only the dovecot fix was needed.
Daniel Walsh pointed out that there were booleans I could set for the
other problems, namely
# setsebool -P httpd_can_network_connect_db=1 httpd_can_sendmail=1
exim_can_connect_db=1
replaces all of the above.
roland
--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@xxxxxxxxxxx 6818 Madeline Court
roland@xxxxxxxxxxxxx Brooklyn, NY 11220
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
