On Fri, 2013-02-22 at 17:38 +0000, Alain Williams wrote:
My exim config needs to speak to MySQL (for greylisting).
To allow this to work I needed to run:
setsebool -P exim_can_connect_db 1
And that seems to do the trick.
Now sealert tells me:
SELinux is preventing /usr/sbin/exim from getattr access on the file
If you want to allow exim to have getattr access on the Index.xml file
Then you need to change the label on /usr/share/mysql/charsets/Index.xml
# semanage fcontext -a -t FILE_TYPE '/usr/share/mysql/charsets/Index.xml'
It then lists a whole set of suggested types.
The label on /usr/share/mysql/charsets/Index.xml is system_u:object_r:usr_t:s0
I picked exim_t (which seemed reasonable - just on the name). But when I try I
get permission denied, a bit of digging tells me that exim_t is a domain for a
process rather than a type for a file.
a) How do I work out what type to set the file to ?
In this case the optimal solution is to allow exim to read usr_t type
files but for the sake of example:
1. We know content in /usr/share is usable read-only content
2. We know the generic type fpr /usr/share is usr_t
So we need a type of file that exim_t can read-only:
sesearch -A -s exim_t -c file -p read
( in Fedora 18 exim_t is allowed to read usr_t files -- a rule return
from the command above )
But if it does not on your config you can look at the rules it returns
and see what type of files exim_t can read ( read getattr open } (are
atleast need to read a file)
So one (less optimal) type you could use would be cert_t or locale_t
By learning the sesearch , semanage and seinfo tools and by being
creative and by having a basic understanding of the way things work one
can figure out a lot
b) I would presumably need to do so for every file in
I guess this is a bug in Ecentos 6.3 here a quick fix:
mkdir ~/myexim; cd ~/myexim;
cat > myexim.te <<EOF
make -f /usr/share/selinux/devel/Makefile myexim.pp
sudo semodule -i myexim.pp
c) Is changing the type on a file so that the MTA can access it the
anyway, should I not be allowing exim access to usr_t instead ... but would
that not open things to wide ?
In this case its not the right thing to do most likely. You should
probably keep it usr_t and allow exim_t to read usr_t type of content.
d) More generally: where do I look to get a list of all the XXX_t,
are, what they are supposed to be used for, ... so that I can work out what
the best choice is ?
seinfo and sesearch can do wonders if you know what to look for so
all types that are classified types for processes:
all types that are classified types for files:
all classifications of the exim_t type:
all classification of the usr_t type:
Everyone that can read usr_t files:
sesearch -A -t usr_t -c file -p read
All files that exim_t can read:
sesearch -ASCT -s exim_t -c file -p read
One can be very creative with these two commands and anaylze the policy
in detail. There are however still things that it cannot tell you but
most it can tell
It cannot tell you the main content of type attributes but it can show
you the characteristics of a type attribute:
for example ( determining the properties of the domain type attribute
sesearch -ASCT -s domain | grep " domain "
sesearch -ASCT -t domain | grep " domain "
PS I am using CentOS 6.3.