SeLinux and mail relaying
Paul Howarth
paul at city-fan.org
Mon Jul 10 11:21:16 UTC 2006
David G. Miller wrote:
> redhatdude at bellsouth.net wrote:
>
>> There's no local.te in my system. I'm running FC5. Also, there is no
>> such rpm or anything similar in the yum repositories. Yes,
>> audit2allow gave me the rules to add, two of them indeed. The problem
>> now is where to add them. Any idea?
>> Thanks a lot for your help, I really appreciate it.
>> EJ
>>
> I did some googling and it looks like Red Hat/Fedora has changed the way
> they package the SELinux ruleset source for FC5. It looks like you need
> the source RPM for selinux-policy-targeted instead of how they packaged
> things for FC4 and earlier with a separate package called
> selinux-policy-targeted-sources. I guess it makes sense to just move
> the source to the source RPM instead of having a separate "sources"
> package; just confusing for those of us who got used to doing things the
> other way.
>
> Here's a link to the source RPM but you should also be able to get it
> just using your favorite flavor of yum.
>
> ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/linux/core/updates/5/SRPMS/selinux-policy-2.2.38-1.fc5.src.rpm
>
>
> This file contains:
>
> [dave at bend ~/rpm]# rpm -qlp selinux-policy-2.2.38-1.fc5.src.rpm
> Makefile.devel
> booleans-mls.conf
> booleans-strict.conf
> booleans-targeted.conf
> modules-mls.conf
> modules-strict.conf
> modules-targeted.conf
> policy-20060505.patch
> policygentool
> selinux-policy.spec
> serefpolicy-2.2.38.tgz
> setrans-mls.conf
> setrans-strict.conf
> setrans-targeted.conf
>
> I'm *guessing* you'll need to unpack serefpolicy-2.2.38.tgz in an
> appropriate location and then add the local policy rules as I described
> earlier. Hopefully, the link from one of the other responses will
> provide enough information about how to make a custom policy for FC5
> although "policygentool" sounds like a likely suspect.
You don't need anything particularly complicated to do local policy
changes in FC5 (it's much easier than in FC4 IMHO).
See:
http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
for example.
However, given that the OP's system is not delivering mail from cron,
which is a pretty basic operation, I think the problem is one with the
existing policy or with labelling rather than something that should just
be allowed by local policy. I can't help much myself because I use
sendmail and postfix is a mystery to me. That is why I referred the OP
to fedora-selinux-list. The list is relatively quiet at weekends but
might get more helpful soon.
Paul.
More information about the users
mailing list