Hello
> * A custom smtpd instance listening on the loopback interface on port
10025
as you can see from you policy posted at the end of your post - you can
simply allow postfix to bind to port 10025 using command:
setsebool -P allow_ypbind=on
(parameter -P makes this change permanent)
> * Using Postfix virtual as the delivery agent to maildirs that are
not under the normal local /var/spool/mail
> I copied the context of /var/spool/mail like this: chcon -R -u
system_u -r object_r -t mail_spool_t /var/userdata/mail
to make this change permarnet use following command:
semanage fcontext -a -t mail_spool_t "/var/userdata/mail(/.*)?"
and afterthat: restorecon -Rv /var/userdata/mail/
(all wrongly labeled files should get correct context according semanage
rule above)
..in order to use "semanage" tool you have to install
"policycoreutils-python" package.
it is very good to make it permanent as all new folders/files within
this directory get correct context. as well if some rebuild action will
be performed (like because of upgrading of selinux-policy packages).
so as you can see, no custom selinux modules are needed in order to make
this working :)
michal
On 10. 2. 2014 1:47, Ori Bani wrote:
I have Postfix running on CentOS 6 with SELinux in enforcing targeted
mode. By default, SELinux will block the following two components of
my system:
* A custom smtpd instance listening on the loopback interface on port 10025
* Using Postfix virtual as the delivery agent to maildirs that are not
under the normal local /var/spool/mail
I'm not a SELinux expert, so I wanted to ask if anyone here has a
critique of how I configured SELinux to work. For the non-standard
maildir location, I copied the context of /var/spool/mail like this:
chcon -R -u system_u -r object_r -t mail_spool_t /var/userdata/mail
From what I understand, this will work unless contexts are rebuilt.
We don't plan to rebuild, but to be safe I'd rather create a SELinux
policy that dictates this location should have the same context as the
system mail spool. Does anyone have a .te file example for doing
that?
For the custom port, I used this to create a new policy module (of
course it has to be compiled and installed), which seems to be all I
need(?)
__________
module postfixport 1.0;
require {
type postfix_master_t;
type port_t;
class tcp_socket name_bind;
}
#============= postfix_master_t ==============
#!!!! This avc can be allowed using the boolean allow_ypbind
allow postfix_master_t port_t:tcp_socket name_bind;
--
Ing. Michal Bruncko, PhD., CCNP, RHCSAâ„¢
IT systems and network administrator
Coupled school of business and services Ruzomberok
Slovak Republic