On Wed, 03 Dec 2003, Russell Coker wrote: > On Wed, 3 Dec 2003 00:56, Peter Palfrader <[EMAIL PROTECTED]> wrote: > > > I've attached a modified version, please check it out. I've changed some > > > of the things to do it in the recommended manner (eg the > > > system_crond_entry() macro), and removed some things. > > > > > > The part for running ssh looked suspect, I think it's probably best to > > > just have can_exec(uucp_t, ssh_exec_t). > > > > The ssh port, which is often used to establish a secure line to the > > remote peer, needs to run ssh to connect to a remote host. > > > > Just using can_exec(uucp_t, ssh_exec_t) is not sufficient, we would also > > need to read random devices, open network connections, etc. For a more > > general policy, using the network might be necessary for the tcp port > > anyway, but I don't use that. > > Why not just permit the uucp domain to do that? Or if you really want to > create a new domain then do it in a way that does not overload "home" in type > names (confusion over what constitutes a USER home directory is not something > we want).
I started doing this, but it turned out to need a lot of things for
which I did not have time at that time.
> > I have added the ssh parts back to my policy, the rest seems to work.
> >
> > What is mta_user_agent for and why would it need to write to our spool?
>
> postfix_postdrop_t has the attribute mta_user_agent. If you want to ever get
> it working on other mail servers then using attributes such as mta_user_agent
> is necessary. If you use the attributes correctly then it should be possible
> to have it work with any mail server.
>
> Please send me a new copy of your policy.
Let me try to get going without an uucp ssh domain, I'll send the result
then.
Peter
--
PGP signed and encrypted | .''`. ** Debian GNU/Linux **
messages preferred. | : :' : The universal
| `. `' Operating System
http://www.palfrader.org/ | `- http://www.debian.org/
signature.asc
Description: Digital signature
