On Fri, 2013-02-22 at 17:38 +0000, Alain Williams wrote: > My exim config needs to speak to MySQL (for greylisting). > > To allow this to work I needed to run: > > setsebool -P exim_can_connect_db 1 > > And that seems to do the trick. > Now sealert tells me: > > SELinux is preventing /usr/sbin/exim from getattr access on the file /usr/share/mysql/charsets/Index.xml. > > If you want to allow exim to have getattr access on the Index.xml file > Then you need to change the label on /usr/share/mysql/charsets/Index.xml > Do > # semanage fcontext -a -t FILE_TYPE '/usr/share/mysql/charsets/Index.xml' > > It then lists a whole set of suggested types. > > The label on /usr/share/mysql/charsets/Index.xml is system_u:object_r:usr_t:s0 > > I picked exim_t (which seemed reasonable - just on the name). But when I try I > get permission denied, a bit of digging tells me that exim_t is a domain for a > process rather than a type for a file. > > Questions: > > a) How do I work out what type to set the file to ? > In this case the optimal solution is to allow exim to read usr_t type files but for the sake of example: 1. We know content in /usr/share is usable read-only content 2. We know the generic type fpr /usr/share is usr_t So we need a type of file that exim_t can read-only: sesearch -A -s exim_t -c file -p read ( in Fedora 18 exim_t is allowed to read usr_t files -- a rule return from the command above ) But if it does not on your config you can look at the rules it returns and see what type of files exim_t can read ( read getattr open } (are atleast need to read a file) So one (less optimal) type you could use would be cert_t or locale_t By learning the sesearch , semanage and seinfo tools and by being creative and by having a basic understanding of the way things work one can figure out a lot > b) I would presumably need to do so for every file in /usr/share/mysql/charsets/ > I guess this is a bug in Ecentos 6.3 here a quick fix: mkdir ~/myexim; cd ~/myexim; cat > myexim.te <<EOF policy_module(myexim, 1.0.0) optional_policy(` gen_require(` type exim_t; ') files_read_usr_files(exim_t) ') EOF make -f /usr/share/selinux/devel/Makefile myexim.pp sudo semodule -i myexim.pp > c) Is changing the type on a file so that the MTA can access it the right thing > anyway, should I not be allowing exim access to usr_t instead ... but would > that not open things to wide ? > In this case its not the right thing to do most likely. You should probably keep it usr_t and allow exim_t to read usr_t type of content. > d) More generally: where do I look to get a list of all the XXX_t, what they > are, what they are supposed to be used for, ... so that I can work out what > the best choice is ? > seinfo and sesearch can do wonders if you know what to look for so examples: all types that are classified types for processes: seinfo -xadomain all types that are classified types for files: seinfo -xafile_type all classifications of the exim_t type: seinfo -xtexim_t all classification of the usr_t type: seinfo -xtusr_t Everyone that can read usr_t files: sesearch -A -t usr_t -c file -p read All files that exim_t can read: sesearch -ASCT -s exim_t -c file -p read One can be very creative with these two commands and anaylze the policy in detail. There are however still things that it cannot tell you but most it can tell For example: It cannot tell you the main content of type attributes but it can show you the characteristics of a type attribute: for example ( determining the properties of the domain type attribute ): sesearch -ASCT -s domain | grep " domain " sesearch -ASCT -t domain | grep " domain " > Regards > > > PS I am using CentOS 6.3. > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
