FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-16-2008, 01:55 PM
John Griffiths
 
Default postfix sendmail and GeoIP

I use postfix and installed GeoIP so that country of origin can be
determined from the IP. postfix.sendmail is constrained so that it
cannot read the GeoIP database file, /usr/share/GeoIP/GeoIP.dat .


The AVC is:

avc: denied { read } for comm=sendmail dev=dm-0 egid=48 euid=48
exe=/usr/sbin/sendmail.postfix exit=0 fsgid=48 fsuid=48 gid=48
items=0 path=/usr/share/GeoIP/GeoIP.dat pid=27728
scontext=system_u:system_r:system_mail_t:s0 sgid=48
subj=system_u:system_r:system_mail_t:s0 suid=48 tclass=file
tcontext=system_ubject_r:usr_t:s0 tty=(none) uid=48


I ran audit2allow -M which produced the following policy:

module postfixSendmail 1.0;

require {
type system_mail_t;
type usr_t;
class file read;
}

#============= system_mail_t ==============
allow system_mail_t usr_t:file read;

I don't think allowing postfix.sendmail to read all files of type usr_t
is the right thing to do, yet, I do need to allow postfix.sendmail to
read the GeoIP data file.


Any suggestions?

Regards,
John

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-16-2008, 02:08 PM
Stefan Schulze Frielinghaus
 
Default postfix sendmail and GeoIP

On Wed, 2008-01-16 at 09:55 -0500, John Griffiths wrote:
> I use postfix and installed GeoIP so that country of origin can be
> determined from the IP. postfix.sendmail is constrained so that it
> cannot read the GeoIP database file, /usr/share/GeoIP/GeoIP.dat .
>
> The AVC is:
>
> avc: denied { read } for comm=sendmail dev=dm-0 egid=48 euid=48
> exe=/usr/sbin/sendmail.postfix exit=0 fsgid=48 fsuid=48 gid=48
> items=0 path=/usr/share/GeoIP/GeoIP.dat pid=27728
> scontext=system_u:system_r:system_mail_t:s0 sgid=48
> subj=system_u:system_r:system_mail_t:s0 suid=48 tclass=file
> tcontext=system_ubject_r:usr_t:s0 tty=(none) uid=48
>
>
> I ran audit2allow -M which produced the following policy:
>
> module postfixSendmail 1.0;
>
> require {
> type system_mail_t;
> type usr_t;
> class file read;
> }
>
> #============= system_mail_t ==============
> allow system_mail_t usr_t:file read;
>
> I don't think allowing postfix.sendmail to read all files of type usr_t
> is the right thing to do, yet, I do need to allow postfix.sendmail to
> read the GeoIP data file.
>
> Any suggestions?

I think it's not a big problem allowing _read_ of usr_t files. If you
really want to separate these files from others you could create a new
type. But like I already mentioned usr_t files do not hold any
confidential information (or at least they shouldn't). IMHO I would
allow read access.

-Stefan

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-16-2008, 02:31 PM
Manuel Wolfshant
 
Default postfix sendmail and GeoIP

Stefan Schulze Frielinghaus wrote:



I ran audit2allow -M which produced the following policy:

module postfixSendmail 1.0;

require {
type system_mail_t;
type usr_t;
class file read;
}

#============= system_mail_t ==============
allow system_mail_t usr_t:file read;

I don't think allowing postfix.sendmail to read all files of type usr_t
is the right thing to do, yet, I do need to allow postfix.sendmail to
read the GeoIP data file.


Any suggestions?



I think it's not a big problem allowing _read_ of usr_t files. If you
really want to separate these files from others you could create a new
type. But like I already mentioned usr_t files do not hold any
confidential information (or at least they shouldn't). IMHO I would
allow read access.

-Stefan

--

+ you could also add into equation the good old pre-selinux attributes
and allow postfix.sendmail to read only from the desired dir. either
setfacl or chmod o-rwx plus chgrp (or variants of this combination)
would help here.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-16-2008, 04:08 PM
Dave Quigley
 
Default postfix sendmail and GeoIP

On Wed, 2008-01-16 at 09:55 -0500, John Griffiths wrote:
> I use postfix and installed GeoIP so that country of origin can be
> determined from the IP. postfix.sendmail is constrained so that it
> cannot read the GeoIP database file, /usr/share/GeoIP/GeoIP.dat .
>
> The AVC is:
>
> avc: denied { read } for comm=sendmail dev=dm-0 egid=48 euid=48
> exe=/usr/sbin/sendmail.postfix exit=0 fsgid=48 fsuid=48 gid=48
> items=0 path=/usr/share/GeoIP/GeoIP.dat pid=27728
> scontext=system_u:system_r:system_mail_t:s0 sgid=48
> subj=system_u:system_r:system_mail_t:s0 suid=48 tclass=file
> tcontext=system_ubject_r:usr_t:s0 tty=(none) uid=48
>
>
> I ran audit2allow -M which produced the following policy:
>
> module postfixSendmail 1.0;
>
> require {
> type system_mail_t;
> type usr_t;
> class file read;
> }
>
> #============= system_mail_t ==============
> allow system_mail_t usr_t:file read;
>
> I don't think allowing postfix.sendmail to read all files of type usr_t
> is the right thing to do, yet, I do need to allow postfix.sendmail to
> read the GeoIP data file.
>
> Any suggestions?
>
> Regards,
> John
>
> --
If you want the resource to have its own type you could modify the
policy you have to look like something below. Note this hasn't been
tested in any way so your mileage may vary. The the fc file will make
sure that the file gets relabeled properly. I haven't worked with
modular policy much so I may have missed something.

postfixSendmail.te

module postfixSendmail 1.0;

require {
type system_mail_t;
class file read;
}

type geoip_usr_t;

#============= system_mail_t ==============
allow system_mail_t geoip_usr_t:file read;

postfixSendmail.fc
/usr/share/GeoIP/GeoIP.dat -- sustem_ubject_r:geoip_usr_t:s0

> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 02:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org