174216 – local.te modifications necessary for mail server

Bug 174216 - local.te modifications necessary for mail server

Summary: local.te modifications necessary for mail server

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-11-25 23:26 UTC by Gabriel Schulhof
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-10-05 14:11:49 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
The audit log resulting in the allow statements (641.82 KB, text/plain) 2005-12-02 19:52 UTC, Gabriel Schulhof	no flags	Details
View All

Description Gabriel Schulhof 2005-11-25 23:26:47 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.12) Gecko/20050929

Description of problem:
We set up a postfix/mailman/dovecot/MailScanner/spamassassin/squirrelmail mail server. We had to make the following additions to local.te based on

audit2allow < /var/log/audit/audit.log:

#postfix
allow postfix_local_t etc_t:file lock;
allow postfix_master_t devpts_t:chr_file getattr;
allow postfix_master_t devpts_t:dir search;
allow postfix_master_t etc_t:file { lock write };
allow postfix_master_t mailman_data_t:dir { add_name remove_name search write };
allow postfix_master_t mailman_data_t:file { create getattr read rename write };
allow postfix_master_t policy_src_t:dir search;
allow postfix_master_t user_home_dir_t:dir search;
allow postfix_master_t var_lib_t:dir search;
allow postfix_smtpd_t etc_t:file lock;
allow postfix_local_t lib_t:file execute_no_trans;
allow postfix_local_t mailman_data_t:dir { add_name remove_name write };
allow postfix_local_t mailman_data_t:file { create getattr rename write };
allow postfix_local_t mailman_log_t:dir search;
allow postfix_local_t mailman_log_t:file { append getattr read };
allow postfix_local_t var_log_t:dir search;

# httpd and squirrelmail/mailman
allow httpd_t pop_port_t:tcp_socket name_connect;
allow httpd_t user_home_t:file getattr;
allow mailman_cgi_t urandom_device_t:chr_file read;
allow mailman_cgi_t var_run_t:dir search;
allow mailman_cgi_t nscd_var_run_t:dir search;

# dovecot
allow dovecot_t postfix_etc_t:dir { getattr search read };
allow dovecot_t postfix_etc_t:file { getattr read lock setattr };


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.11

How reproducible:
Always

Steps to Reproduce:
1. Install a mail server with the above features
2. Experience frustration as selinux trips you up at every turn.
3. Resolve to be patient and work with selinux instead of turning it off.
  

Actual Results:  selinux tripped us up at every turn.

Expected Results:  All rpms should be selinux aware and make the appropriate policy modifications.

Additional info:

Comment 1 Daniel Walsh 2005-11-30 15:07:40 UTC

Please include the auditlog as an attachment.

Comment 2 Gabriel Schulhof 2005-12-02 19:52:58 UTC

Created attachment 121778 [details]
The audit log resulting in the allow statements

This is (most likely) the file we used to create those allow statements via
audit2allow. We did this a while back, however, when I ran audit2allow on this
file, it produced all of those statements again ...

Comment 3 Daniel Walsh 2006-10-05 14:11:49 UTC

Closing since FC4 is no longer supported.  Reopen if this is the case in FC5 or FC6

Note You need to log in before you can comment on or make changes to this bug.