Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   EPEL Development (http://www.linux-archive.org/epel-development/)
-   -   Fwd: newer postfix on RHEL5 (selinux policy) (http://www.linux-archive.org/epel-development/514744-fwd-newer-postfix-rhel5-selinux-policy.html)

Stephen John Smoogen 04-15-2011 08:22 PM

Fwd: newer postfix on RHEL5 (selinux policy)
 
Asked Daniel Walsh what would be needed for a postfix2x policy. I am
wondering if we added the policy to the rpm with instructions on how
to install it would be ok?


---------- Forwarded message ----------
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Thu, Apr 14, 2011 at 12:55
Subject: Re: newer postfix on RHEL5 (selinux policy)
To: Stephen John Smoogen <smooge@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/14/2011 12:44 PM, Stephen John Smoogen wrote:
> So people in EPEL is looking at packaging a newer postfix for RHEL4/5
> as it has features they need. The problem though is with an selinux
> policy for it as we would like to have it sit in parallel directories
> and not conflict with the RHEL postfix. What would be the best ways to
> make a policy for the systems (if it can only be RHEL5 oh well).
>

Just copy he existing file context files and change the path.

In RHEL5 you could just add the labels using semanage or better would be
to install a pp file *You need a one liner for postfix.te. *Then just
include a postfixnew.fc file with new paths. *The type definition should
remain the same. *You would also need to run restorecon on the paths
after you install the policy module.


cat postfixnew.te
policy_module(postfixnew,1.0)

cat postfixnew.fc
# postfix
/etc/postfix(/.*)? * * * * * * *gen_context(system_u:object_r:postfix_etc_t,s0)
ifdef(`distro_redhat', `
/usr/libexec/postfix/.* -- * * *gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup --
gen_context(system_u:object_r:postfix_cleanup_exec _t,s0)
/usr/libexec/postfix/lmtp --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/libexec/postfix/local --
gen_context(system_u:object_r:postfix_local_exec_t ,s0)
/usr/libexec/postfix/master --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/libexec/postfix/pickup --
gen_context(system_u:object_r:postfix_pickup_exec_ t,s0)
/usr/libexec/postfix/(n)?qmgr --
gen_context(system_u:object_r:postfix_qmgr_exec_t, s0)
/usr/libexec/postfix/showq --
gen_context(system_u:object_r:postfix_showq_exec_t ,s0)
/usr/libexec/postfix/smtp --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/libexec/postfix/scache --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/libexec/postfix/smtpd --
gen_context(system_u:object_r:postfix_smtpd_exec_t ,s0)
/usr/libexec/postfix/bounce --
gen_context(system_u:object_r:postfix_bounce_exec_ t,s0)
/usr/libexec/postfix/pipe --
gen_context(system_u:object_r:postfix_pipe_exec_t, s0)
/usr/libexec/postfix/virtual --
gen_context(system_u:object_r:postfix_virtual_exec _t,s0)
', `
/usr/lib/postfix/.* * * -- * * *gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/cleanup --
gen_context(system_u:object_r:postfix_cleanup_exec _t,s0)
/usr/lib/postfix/local *--
gen_context(system_u:object_r:postfix_local_exec_t ,s0)
/usr/lib/postfix/master --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/lib/postfix/pickup --
gen_context(system_u:object_r:postfix_pickup_exec_ t,s0)
/usr/lib/postfix/(n)?qmgr --
gen_context(system_u:object_r:postfix_qmgr_exec_t, s0)
/usr/lib/postfix/showq *--
gen_context(system_u:object_r:postfix_showq_exec_t ,s0)
/usr/lib/postfix/smtp * --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/lib/postfix/lmtp * --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/lib/postfix/scache --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/lib/postfix/smtpd *--
gen_context(system_u:object_r:postfix_smtpd_exec_t ,s0)
/usr/lib/postfix/bounce --
gen_context(system_u:object_r:postfix_bounce_exec_ t,s0)
/usr/lib/postfix/pipe * --
gen_context(system_u:object_r:postfix_pipe_exec_t, s0)
')
/etc/postfix/postfix-script.* --
gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch *-- * * *gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias * * --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/sbin/postdrop * * *--
gen_context(system_u:object_r:postfix_postdrop_exe c_t,s0)
/usr/sbin/postfix * * * --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/sbin/postkick * * *--
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/sbin/postlock * * *--
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/sbin/postlog * * * --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/sbin/postmap * * * --
gen_context(system_u:object_r:postfix_map_exec_t,s 0)
/usr/sbin/postqueue * * --
gen_context(system_u:object_r:postfix_postqueue_ex ec_t,s0)
/usr/sbin/postsuper * * --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/var/lib/postfix(/.*)?
gen_context(system_u:object_r:postfix_var_lib_t,s0 )
/var/run/postfix(/.*)?
gen_context(system_u:object_r:postfix_var_run_t,s0 )

/var/spool/postfix(/.*)?
gen_context(system_u:object_r:postfix_spool_t,s0)
/var/spool/postfix/maildrop(/.*)?
gen_context(system_u:object_r:postfix_spool_maildr op_t,s0)
/var/spool/postfix/pid/.*
gen_context(system_u:object_r:postfix_var_run_t,s0 )
/var/spool/postfix/private(/.*)?
gen_context(system_u:object_r:postfix_private_t,s0 )
/var/spool/postfix/public(/.*)?
gen_context(system_u:object_r:postfix_public_t,s0)
/var/spool/postfix/bounce(/.*)?
gen_context(system_u:object_r:postfix_spool_bounce _t,s0)
/var/spool/postfix/flush(/.*)?
gen_context(system_u:object_r:postfix_spool_flush_ t,s0)
dwalsh@lo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2nQyEACgkQrlYvE4MpobOYOwCgwZslQGC0Xn/t3ql3TpoyWNKg
lYwAn34zsszGEnTQS2pFSzuvlQQNXe6Z
=CrdE
-----END PGP SIGNATURE-----



--
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren

_______________________________________________
epel-devel-list mailing list
epel-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/epel-devel-list

Manuel Wolfshant 04-16-2011 01:03 AM

Fwd: newer postfix on RHEL5 (selinux policy)
 
On 04/15/2011 11:22 PM, Stephen John Smoogen wrote:

Asked Daniel Walsh what would be needed for a postfix2x policy. I am
wondering if we added the policy to the rpm with instructions on how
to install it would be ok?

Extremely ugly, against the common usage in RHEL and Fedora but
functional. I could live with that if properly triggered from
%postinstall and if the custom policy would be removed when
uninstalling the package



Manuel



---------- Forwarded message ----------
From: Daniel J Walsh<dwalsh@redhat.com>
Date: Thu, Apr 14, 2011 at 12:55
Subject: Re: newer postfix on RHEL5 (selinux policy)
To: Stephen John Smoogen<smooge@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/14/2011 12:44 PM, Stephen John Smoogen wrote:

So people in EPEL is looking at packaging a newer postfix for RHEL4/5
as it has features they need. The problem though is with an selinux
policy for it as we would like to have it sit in parallel directories
and not conflict with the RHEL postfix. What would be the best ways to
make a policy for the systems (if it can only be RHEL5 oh well).


Just copy he existing file context files and change the path.

In RHEL5 you could just add the labels using semanage or better would be
to install a pp file You need a one liner for postfix.te. Then just
include a postfixnew.fc file with new paths. The type definition should
remain the same. You would also need to run restorecon on the paths
after you install the policy module.


cat postfixnew.te
policy_module(postfixnew,1.0)

cat postfixnew.fc
# postfix
/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
ifdef(`distro_redhat', `
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup --
gen_context(system_u:object_r:postfix_cleanup_exec _t,s0)
/usr/libexec/postfix/lmtp --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/libexec/postfix/local --
gen_context(system_u:object_r:postfix_local_exec_t ,s0)
/usr/libexec/postfix/master --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/libexec/postfix/pickup --
gen_context(system_u:object_r:postfix_pickup_exec_ t,s0)
/usr/libexec/postfix/(n)?qmgr --
gen_context(system_u:object_r:postfix_qmgr_exec_t, s0)
/usr/libexec/postfix/showq --
gen_context(system_u:object_r:postfix_showq_exec_t ,s0)
/usr/libexec/postfix/smtp --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/libexec/postfix/scache --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/libexec/postfix/smtpd --
gen_context(system_u:object_r:postfix_smtpd_exec_t ,s0)
/usr/libexec/postfix/bounce --
gen_context(system_u:object_r:postfix_bounce_exec_ t,s0)
/usr/libexec/postfix/pipe --
gen_context(system_u:object_r:postfix_pipe_exec_t, s0)
/usr/libexec/postfix/virtual --
gen_context(system_u:object_r:postfix_virtual_exec _t,s0)
', `
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/cleanup --
gen_context(system_u:object_r:postfix_cleanup_exec _t,s0)
/usr/lib/postfix/local --
gen_context(system_u:object_r:postfix_local_exec_t ,s0)
/usr/lib/postfix/master --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/lib/postfix/pickup --
gen_context(system_u:object_r:postfix_pickup_exec_ t,s0)
/usr/lib/postfix/(n)?qmgr --
gen_context(system_u:object_r:postfix_qmgr_exec_t, s0)
/usr/lib/postfix/showq --
gen_context(system_u:object_r:postfix_showq_exec_t ,s0)
/usr/lib/postfix/smtp --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/lib/postfix/lmtp --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/lib/postfix/scache --
gen_context(system_u:object_r:postfix_smtp_exec_t, s0)
/usr/lib/postfix/smtpd --
gen_context(system_u:object_r:postfix_smtpd_exec_t ,s0)
/usr/lib/postfix/bounce --
gen_context(system_u:object_r:postfix_bounce_exec_ t,s0)
/usr/lib/postfix/pipe --
gen_context(system_u:object_r:postfix_pipe_exec_t, s0)
')
/etc/postfix/postfix-script.* --
gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/sbin/postdrop --
gen_context(system_u:object_r:postfix_postdrop_exe c_t,s0)
/usr/sbin/postfix --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/sbin/postkick --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/sbin/postlock --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/sbin/postlog --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/usr/sbin/postmap --
gen_context(system_u:object_r:postfix_map_exec_t,s 0)
/usr/sbin/postqueue --
gen_context(system_u:object_r:postfix_postqueue_ex ec_t,s0)
/usr/sbin/postsuper --
gen_context(system_u:object_r:postfix_master_exec_ t,s0)
/var/lib/postfix(/.*)?
gen_context(system_u:object_r:postfix_var_lib_t,s0 )
/var/run/postfix(/.*)?
gen_context(system_u:object_r:postfix_var_run_t,s0 )

/var/spool/postfix(/.*)?
gen_context(system_u:object_r:postfix_spool_t,s0)
/var/spool/postfix/maildrop(/.*)?
gen_context(system_u:object_r:postfix_spool_maildr op_t,s0)
/var/spool/postfix/pid/.*
gen_context(system_u:object_r:postfix_var_run_t,s0 )
/var/spool/postfix/private(/.*)?
gen_context(system_u:object_r:postfix_private_t,s0 )
/var/spool/postfix/public(/.*)?
gen_context(system_u:object_r:postfix_public_t,s0)
/var/spool/postfix/bounce(/.*)?
gen_context(system_u:object_r:postfix_spool_bounce _t,s0)
/var/spool/postfix/flush(/.*)?
gen_context(system_u:object_r:postfix_spool_flush_ t,s0)
dwalsh@lo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2nQyEACgkQrlYvE4MpobOYOwCgwZslQGC0Xn/t3ql3TpoyWNKg
lYwAn34zsszGEnTQS2pFSzuvlQQNXe6Z
=CrdE
-----END PGP SIGNATURE-----





_______________________________________________
epel-devel-list mailing list
epel-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/epel-devel-list


All times are GMT. The time now is 01:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.