SeLinux and mail relaying

Paul Howarth paul at city-fan.org
Mon Jul 10 11:21:16 UTC 2006 

David G. Miller wrote:
> redhatdude at bellsouth.net wrote:
> 
>> There's no local.te in my system. I'm running FC5. Also, there is no  
>> such rpm or anything similar in the yum repositories. Yes,  
>> audit2allow gave me the rules to add, two of them indeed. The problem  
>> now is where to add them. Any idea?
>> Thanks a lot for your help, I really appreciate it.
>> EJ
>>
> I did some googling and it looks like Red Hat/Fedora has changed the way 
> they package the SELinux ruleset source for FC5.  It looks like you need 
> the source RPM for selinux-policy-targeted instead of how they packaged 
> things for FC4 and earlier with a separate package called 
> selinux-policy-targeted-sources.  I guess it makes sense to just move 
> the source to the source RPM instead of having a separate "sources" 
> package; just confusing for those of us who got used to doing things the 
> other way.
> 
> Here's a link to the source RPM but you should also be able to get it 
> just using your favorite flavor of yum.
> 
> ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/linux/core/updates/5/SRPMS/selinux-policy-2.2.38-1.fc5.src.rpm 
> 
> 
> This file contains:
> 
> [dave at bend ~/rpm]# rpm -qlp selinux-policy-2.2.38-1.fc5.src.rpm
> Makefile.devel
> booleans-mls.conf
> booleans-strict.conf
> booleans-targeted.conf
> modules-mls.conf
> modules-strict.conf
> modules-targeted.conf
> policy-20060505.patch
> policygentool
> selinux-policy.spec
> serefpolicy-2.2.38.tgz
> setrans-mls.conf
> setrans-strict.conf
> setrans-targeted.conf
> 
> I'm *guessing* you'll need to unpack serefpolicy-2.2.38.tgz in an 
> appropriate location and then add the local policy rules as I described 
> earlier.  Hopefully, the link from one of the other responses will 
> provide enough information about how to make a custom policy for FC5 
> although "policygentool" sounds like a likely suspect.

You don't need anything particularly complicated to do local policy 
changes in FC5 (it's much easier than in FC4 IMHO).

See:
http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
for example.

However, given that the OP's system is not delivering mail from cron, 
which is a pretty basic operation, I think the problem is one with the 
existing policy or with labelling rather than something that should just 
be allowed by local policy. I can't help much myself because I use 
sendmail and postfix is a mystery to me. That is why I referred the OP 
to fedora-selinux-list. The list is relatively quiet at weekends but 
might get more helpful soon.

Paul.

More information about the users mailing list