Bug 174216 - local.te modifications necessary for mail server
local.te modifications necessary for mail server
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-11-25 18:26 EST by Gabriel Schulhof
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-05 10:11:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
The audit log resulting in the allow statements (641.82 KB, text/plain)
2005-12-02 14:52 EST, Gabriel Schulhof
no flags Details

  None (edit)
Description Gabriel Schulhof 2005-11-25 18:26:47 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.12) Gecko/20050929

Description of problem:
We set up a postfix/mailman/dovecot/MailScanner/spamassassin/squirrelmail mail server. We had to make the following additions to local.te based on

audit2allow < /var/log/audit/audit.log:

allow postfix_local_t etc_t:file lock;
allow postfix_master_t devpts_t:chr_file getattr;
allow postfix_master_t devpts_t:dir search;
allow postfix_master_t etc_t:file { lock write };
allow postfix_master_t mailman_data_t:dir { add_name remove_name search write };
allow postfix_master_t mailman_data_t:file { create getattr read rename write };
allow postfix_master_t policy_src_t:dir search;
allow postfix_master_t user_home_dir_t:dir search;
allow postfix_master_t var_lib_t:dir search;
allow postfix_smtpd_t etc_t:file lock;
allow postfix_local_t lib_t:file execute_no_trans;
allow postfix_local_t mailman_data_t:dir { add_name remove_name write };
allow postfix_local_t mailman_data_t:file { create getattr rename write };
allow postfix_local_t mailman_log_t:dir search;
allow postfix_local_t mailman_log_t:file { append getattr read };
allow postfix_local_t var_log_t:dir search;

# httpd and squirrelmail/mailman
allow httpd_t pop_port_t:tcp_socket name_connect;
allow httpd_t user_home_t:file getattr;
allow mailman_cgi_t urandom_device_t:chr_file read;
allow mailman_cgi_t var_run_t:dir search;
allow mailman_cgi_t nscd_var_run_t:dir search;

# dovecot
allow dovecot_t postfix_etc_t:dir { getattr search read };
allow dovecot_t postfix_etc_t:file { getattr read lock setattr };

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install a mail server with the above features
2. Experience frustration as selinux trips you up at every turn.
3. Resolve to be patient and work with selinux instead of turning it off.

Actual Results:  selinux tripped us up at every turn.

Expected Results:  All rpms should be selinux aware and make the appropriate policy modifications.

Additional info:
Comment 1 Daniel Walsh 2005-11-30 10:07:40 EST
Please include the auditlog as an attachment.  
Comment 2 Gabriel Schulhof 2005-12-02 14:52:58 EST
Created attachment 121778 [details]
The audit log resulting in the allow statements

This is (most likely) the file we used to create those allow statements via
audit2allow. We did this a while back, however, when I ran audit2allow on this
file, it produced all of those statements again ...
Comment 3 Daniel Walsh 2006-10-05 10:11:49 EDT
Closing since FC4 is no longer supported.  Reopen if this is the case in FC5 or FC6

Note You need to log in before you can comment on or make changes to this bug.