Sincerely yours,
Vadym Chepkov
--- On Sun, 8/2/09, Scott Radvan <sradvan(a)redhat.com> wrote:
From: Scott Radvan <sradvan(a)redhat.com>
Subject: spamassassin transition
To: fedora-selinux-list(a)redhat.com
Date: Sunday, August 2, 2009, 8:20 PM
Hi,
Working on the Postfix chapter in my SELinux managing
confined services
book [0] and am having trouble with Postfix/spamassassin.
I have got email traversing back and forth just fine, but I
am trying to
invoke a denial or a problem for which I can document the
work-around.
spamassassin_can_network seems to be a good Boolean to
explain, show
the denial and then show the work-around for.
This Boolean is off by default, which as far as I can tell
would stop
spamassassin from launching as a daemon listening on the
machine's
actual IP/interface.
But my problem is that it is launching without a problem
and listening
on the machine's interface without error. I am assuming
that it is
working fine because the spamassassin processes are only
launching as
initrc_t, when it should be transitioning to something
else..?
# ps -eZ | grep spamd
unconfined_u:system_r:initrc_t:s0 3085 ?
00:00:01 spamd
unconfined_u:system_r:initrc_t:s0 3087 ?
00:00:00 spamd
unconfined_u:system_r:initrc_t:s0 3088 ?
00:00:00 spamd
# ls -lZ /etc/init.d/spamassassin
-rwxr-xr-x.
rootrootsystem_u:object_r:initrc_exec_t:s0
/etc/init.d/spamassassin
(I tried labelling this differently to this default
setting, to
spamd_initrc_exec_t, but to no avail.)
# getsebool -a | grep spam
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
Basically I need to make sure spamassassin is starting
normally so that
the Boolean mentioned will block access. So any help is
appreciated,
should spamassassin as a daemon transition to something
other than
initrc_t? And how do I get it to do so?
Or am I going down the wrong track to get this Boolean
which is off by
default to do something which I can demonstrate and fix?
Thank you,
--
Scott Radvan
Content Author, Platform (Installation and Deployment)
Red Hat Asia Pacific (Brisbane)
http://www.apac.redhat.com
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list