Re: [OT] SELinux Policies (port & maildir location)
On 2/10/14, Michal Bruncko wrote: > > * A custom smtpd instance listening on the loopback interface on port > > 10025 > as you can see from you policy posted at the end of your post - you can > simply allow postfix to bind to port 10025 using command: > setsebool -P allow_ypbind=on > (parameter -P makes this change permanent) I chose not to do that because it is global, not specific to Postfix. Why would I open a door more widely when I can just add a policy for the specific process in question? (Not being sarcastic, I want to know) > > * Using Postfix virtual as the delivery agent to maildirs that are > > not under the normal local /var/spool/mail > > I copied the context of /var/spool/mail like this: chcon -R -u > > system_u -r object_r -t mail_spool_t /var/userdata/mail > > to make this change permarnet use following command: > > semanage fcontext -a -t mail_spool_t "/var/userdata/mail(/.*)?" > > and afterthat: restorecon -Rv /var/userdata/mail/ > (all wrongly labeled files should get correct context according semanage > rule above) Ah, this is what I was looking for. Thank you! > ..in order to use "semanage" tool you have to install > "policycoreutils-python" package. Already had it in order to use audit2allow, but this is a good tip, because it's not obvious at all (not even documented in the vendor SELinux how-to page).
Re: [OT] SELinux Policies (port & maildir location)
Hello > * A custom smtpd instance listening on the loopback interface on port 10025 as you can see from you policy posted at the end of your post - you can simply allow postfix to bind to port 10025 using command: setsebool -P allow_ypbind=on (parameter -P makes this change permanent) > * Using Postfix virtual as the delivery agent to maildirs that are not under the normal local /var/spool/mail > I copied the context of /var/spool/mail like this: chcon -R -u system_u -r object_r -t mail_spool_t /var/userdata/mail to make this change permarnet use following command: semanage fcontext -a -t mail_spool_t "/var/userdata/mail(/.*)?" and afterthat: restorecon -Rv /var/userdata/mail/ (all wrongly labeled files should get correct context according semanage rule above) ..in order to use "semanage" tool you have to install "policycoreutils-python" package. it is very good to make it permanent as all new folders/files within this directory get correct context. as well if some rebuild action will be performed (like because of upgrading of selinux-policy packages). so as you can see, no custom selinux modules are needed in order to make this working :) michal On 10. 2. 2014 1:47, Ori Bani wrote: I have Postfix running on CentOS 6 with SELinux in enforcing targeted mode. By default, SELinux will block the following two components of my system: * A custom smtpd instance listening on the loopback interface on port 10025 * Using Postfix virtual as the delivery agent to maildirs that are not under the normal local /var/spool/mail I'm not a SELinux expert, so I wanted to ask if anyone here has a critique of how I configured SELinux to work. For the non-standard maildir location, I copied the context of /var/spool/mail like this: chcon -R -u system_u -r object_r -t mail_spool_t /var/userdata/mail From what I understand, this will work unless contexts are rebuilt. We don't plan to rebuild, but to be safe I'd rather create a SELinux policy that dictates this location should have the same context as the system mail spool. Does anyone have a .te file example for doing that? For the custom port, I used this to create a new policy module (of course it has to be compiled and installed), which seems to be all I need(?) __ module postfixport 1.0; require { type postfix_master_t; type port_t; class tcp_socket name_bind; } #= postfix_master_t == # This avc can be allowed using the boolean allow_ypbind allow postfix_master_t port_t:tcp_socket name_bind; -- Ing. Michal Bruncko, PhD., CCNP, RHCSAâ„¢ IT systems and network administrator Coupled school of business and services Ruzomberok Slovak Republic
[OT] SELinux Policies (port & maildir location)
I have Postfix running on CentOS 6 with SELinux in enforcing targeted mode. By default, SELinux will block the following two components of my system: * A custom smtpd instance listening on the loopback interface on port 10025 * Using Postfix virtual as the delivery agent to maildirs that are not under the normal local /var/spool/mail I'm not a SELinux expert, so I wanted to ask if anyone here has a critique of how I configured SELinux to work. For the non-standard maildir location, I copied the context of /var/spool/mail like this: chcon -R -u system_u -r object_r -t mail_spool_t /var/userdata/mail >From what I understand, this will work unless contexts are rebuilt. We don't plan to rebuild, but to be safe I'd rather create a SELinux policy that dictates this location should have the same context as the system mail spool. Does anyone have a .te file example for doing that? For the custom port, I used this to create a new policy module (of course it has to be compiled and installed), which seems to be all I need(?) __ module postfixport 1.0; require { type postfix_master_t; type port_t; class tcp_socket name_bind; } #= postfix_master_t == # This avc can be allowed using the boolean allow_ypbind allow postfix_master_t port_t:tcp_socket name_bind;