Postfix/mailman problem
Eric Smith
eric at brouhaha.com
Thu Mar 2 20:06:24 UTC 2006
> I haven't worked on the postfix pipe policy, but it seems like the only
> thing it can execute at the moment is procmail.
How is that determined? I can't find a single reference to procmail
anywhere in the SELinux targeted configuration, and procmail doesn't
seem to have any special context:
# ls --lcontext /usr/bin/procmail
-rwxr-xr-x 1 system_u:object_r:bin_t root mail 100680 Mar 18
2005 /usr/bin/procmail
> I would say:
> - the type mailman_queue_exec_t looks wrong for that file - how did it
> get this type?
I'm not sure, actually. Should it just be system_u:object_r:bin_t?
> - the file /usr/lib/mailman/mail (which your script runs) appears to be
> a SGID executable to group mailman which runs other [mailman] programs.
> It has type lib_t, which is incorrect. I think whatever regexps are
> currently used in policy are overly generic, and misclassify lots of
> things as lib_t.
Should I change its context to system_u:object_r:bin_t?
> In the short run, maybe a macro can be added to postfix that takes a
> domain and allows postfix_pipe to run that.
Makes sense. I don't have any idea how to do it, though perhaps I can
find time this weekend to study the O'Reilly book more.
Thanks!
Eric
More information about the selinux
mailing list