Since chroot and name lookups didn't work so well together, ref: http://thread.gmane.org/gmane.mail.postfix.policyd/354 I've created a selinux domain for it instead.
SElinux policy files are included below, and procedure for building/loading is documented at http://tanso.net/selinux/policyd/ # -------------- policyd.fc ------------- " # policyd labeling policy # file: policyd.fc /usr/sbin/policyd -- gen_context(system_u:object_r:policyd_exec_t, s0) /etc/policyd.conf -- gen_context(system_u:object_r:policyd_conf_t, s0) /var/run/policyd.pid -- gen_context(system_u:object_r:policyd_var_run_t, s0) # -------------- policyd.fc ------------- " # -------------- policyd.te ------------- " policy_module(policyd, 1.0) ##################### # Type declarations # ##################### # Policyd domain: type policyd_t; # executable entry point: type policyd_exec_t; # mark policyd_t as a domain and policyd_exec_t as an entrypoint into that domain init_daemon_domain(policyd_t, policyd_exec_t) # PID file /var/run/policyd.pid type policyd_var_run_t; files_pid_file(policyd_var_run_t) # configuration files type policyd_conf_t; files_config_file(policyd_conf_t) ########################## # policyd -- core access # ########################## # Configuration files - read allow policyd_t policyd_conf_t : dir r_dir_perms; allow policyd_t policyd_conf_t : file r_file_perms; allow policyd_t policyd_conf_t : lnk_file { getattr read }; # PID file - create, read, and write allow policyd_t policyd_var_run_t : dir rw_dir_perms; allow policyd_t policyd_var_run_t : file create_file_perms; files_pid_filetrans(policyd_t, policyd_var_run_t, file) allow policyd_t self : tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_all_if(policyd_t) corenet_tcp_sendrecv_all_nodes(policyd_t) corenet_tcp_sendrecv_all_ports(policyd_t) corenet_non_ipsec_sendrecv(policyd_t) corenet_tcp_bind_all_nodes(policyd_t) sysnet_dns_name_resolve(policyd_t) # use shared libraries libs_use_ld_so(policyd_t) libs_use_shared_libs(policyd_t) ############### Brute force AVC denials ####### require { class capability { setgid setuid sys_chroot sys_resource}; class chr_file { read write getattr}; class file { read getattr }; class process setrlimit; class sock_file write; class tcp_socket { name_bind name_connect name_connect }; class unix_dgram_socket { connect create sendto write }; type devlog_t; type devpts_t; type etc_t; type locale_t; type mysqld_port_t; type policyd_t; type policyd_port_t; type postfix_smtpd_t; type syslogd_t; type usr_t; role system_r; }; # Write to stdout/stderr: allow policyd_t devpts_t:chr_file { getattr read write }; allow policyd_t policyd_port_t:tcp_socket name_bind; allow policyd_t mysqld_port_t:tcp_socket name_connect; allow policyd_t self:capability { sys_resource sys_chroot setgid setuid }; allow policyd_t self:process setrlimit; allow policyd_t etc_t:file { getattr read }; allow policyd_t devlog_t:sock_file write; allow policyd_t locale_t:file { getattr read }; allow policyd_t self:unix_dgram_socket { connect create write}; allow policyd_t syslogd_t:unix_dgram_socket sendto; allow policyd_t usr_t:file { getattr read }; # For /usr/share/mysql/charsets/Index.xml. # Allow postfix to connect to the policy server: allow postfix_smtpd_t policyd_port_t:tcp_socket name_connect; # -------------- policyd.te ------------- " -jf ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ policyd-users mailing list policyd-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/policyd-users