I have Postfix running on CentOS 6 with SELinux in enforcing targeted mode. By default, SELinux will block the following two components of my system:
* A custom smtpd instance listening on the loopback interface on port 10025 * Using Postfix virtual as the delivery agent to maildirs that are not under the normal local /var/spool/mail I'm not a SELinux expert, so I wanted to ask if anyone here has a critique of how I configured SELinux to work. For the non-standard maildir location, I copied the context of /var/spool/mail like this: chcon -R -u system_u -r object_r -t mail_spool_t /var/userdata/mail >From what I understand, this will work unless contexts are rebuilt. We don't plan to rebuild, but to be safe I'd rather create a SELinux policy that dictates this location should have the same context as the system mail spool. Does anyone have a .te file example for doing that? For the custom port, I used this to create a new policy module (of course it has to be compiled and installed), which seems to be all I need(?) __________ module postfixport 1.0; require { type postfix_master_t; type port_t; class tcp_socket name_bind; } #============= postfix_master_t ============== #!!!! This avc can be allowed using the boolean allow_ypbind allow postfix_master_t port_t:tcp_socket name_bind;