Re: [OT] SELinux Policies (port & maildir location)
On 2/10/14, Michal Bruncko wrote: > > * A custom smtpd instance listening on the loopback interface on port > > 10025 > as you can see from you policy posted at the end of your post - you can > simply allow postfix to bind to port 10025 using command: > setsebool -P allow_ypbind=on > (parameter -P makes this change permanent) I chose not to do that because it is global, not specific to Postfix. Why would I open a door more widely when I can just add a policy for the specific process in question? (Not being sarcastic, I want to know) > > * Using Postfix virtual as the delivery agent to maildirs that are > > not under the normal local /var/spool/mail > > I copied the context of /var/spool/mail like this: chcon -R -u > > system_u -r object_r -t mail_spool_t /var/userdata/mail > > to make this change permarnet use following command: > > semanage fcontext -a -t mail_spool_t "/var/userdata/mail(/.*)?" > > and afterthat: restorecon -Rv /var/userdata/mail/ > (all wrongly labeled files should get correct context according semanage > rule above) Ah, this is what I was looking for. Thank you! > ..in order to use "semanage" tool you have to install > "policycoreutils-python" package. Already had it in order to use audit2allow, but this is a good tip, because it's not obvious at all (not even documented in the vendor SELinux how-to page).
Re: [OT] SELinux Policies (port & maildir location)
Hello
> * A custom smtpd instance listening on the loopback interface on port
10025
as you can see from you policy posted at the end of your post - you can
simply allow postfix to bind to port 10025 using command:
setsebool -P allow_ypbind=on
(parameter -P makes this change permanent)
> * Using Postfix virtual as the delivery agent to maildirs that are
not under the normal local /var/spool/mail
> I copied the context of /var/spool/mail like this: chcon -R -u
system_u -r object_r -t mail_spool_t /var/userdata/mail
to make this change permarnet use following command:
semanage fcontext -a -t mail_spool_t "/var/userdata/mail(/.*)?"
and afterthat: restorecon -Rv /var/userdata/mail/
(all wrongly labeled files should get correct context according semanage
rule above)
..in order to use "semanage" tool you have to install
"policycoreutils-python" package.
it is very good to make it permanent as all new folders/files within
this directory get correct context. as well if some rebuild action will
be performed (like because of upgrading of selinux-policy packages).
so as you can see, no custom selinux modules are needed in order to make
this working :)
michal
On 10. 2. 2014 1:47, Ori Bani wrote:
I have Postfix running on CentOS 6 with SELinux in enforcing targeted
mode. By default, SELinux will block the following two components of
my system:
* A custom smtpd instance listening on the loopback interface on port 10025
* Using Postfix virtual as the delivery agent to maildirs that are not
under the normal local /var/spool/mail
I'm not a SELinux expert, so I wanted to ask if anyone here has a
critique of how I configured SELinux to work. For the non-standard
maildir location, I copied the context of /var/spool/mail like this:
chcon -R -u system_u -r object_r -t mail_spool_t /var/userdata/mail
From what I understand, this will work unless contexts are rebuilt.
We don't plan to rebuild, but to be safe I'd rather create a SELinux
policy that dictates this location should have the same context as the
system mail spool. Does anyone have a .te file example for doing
that?
For the custom port, I used this to create a new policy module (of
course it has to be compiled and installed), which seems to be all I
need(?)
__
module postfixport 1.0;
require {
type postfix_master_t;
type port_t;
class tcp_socket name_bind;
}
#= postfix_master_t ==
# This avc can be allowed using the boolean allow_ypbind
allow postfix_master_t port_t:tcp_socket name_bind;
--
Ing. Michal Bruncko, PhD., CCNP, RHCSAâ„¢
IT systems and network administrator
Coupled school of business and services Ruzomberok
Slovak Republic
[OT] SELinux Policies (port & maildir location)
I have Postfix running on CentOS 6 with SELinux in enforcing targeted
mode. By default, SELinux will block the following two components of
my system:
* A custom smtpd instance listening on the loopback interface on port 10025
* Using Postfix virtual as the delivery agent to maildirs that are not
under the normal local /var/spool/mail
I'm not a SELinux expert, so I wanted to ask if anyone here has a
critique of how I configured SELinux to work. For the non-standard
maildir location, I copied the context of /var/spool/mail like this:
chcon -R -u system_u -r object_r -t mail_spool_t /var/userdata/mail
>From what I understand, this will work unless contexts are rebuilt.
We don't plan to rebuild, but to be safe I'd rather create a SELinux
policy that dictates this location should have the same context as the
system mail spool. Does anyone have a .te file example for doing
that?
For the custom port, I used this to create a new policy module (of
course it has to be compiled and installed), which seems to be all I
need(?)
__
module postfixport 1.0;
require {
type postfix_master_t;
type port_t;
class tcp_socket name_bind;
}
#= postfix_master_t ==
# This avc can be allowed using the boolean allow_ypbind
allow postfix_master_t port_t:tcp_socket name_bind;
