Re: Domain Transitions (or the Exim4 policy)

[Shane Wegner <shane-keyword-selinux.9d5a25@cm.nu>]

On Fri, Dec 19, 2003 at 04:47:45PM +1100, Russell Coker wrote:
> Why did you change it to exim4_t?  It seems to me that as exim and sendmail 
> operate in the same manner it would be better to have a single policy to use 
> for them both.  This will make it easier to maintain the policy.

Point taken.  Exim does seem to use a slightly different
capability set and needs some modified permissions but
they're trivial changes.

> > permissions it needs.  Further, when a user sends mail, say
> > echo Hello world |mail
> > exim4 gets spawned but this time in the user_t domain,
> > again without the necessary permissions to write to its
> > spool.
> 
> In the sendmail policy it would transition to user_mail_t domain.

After adapting sendmail.te and putting that in per your
suggestion, it does indeed transition to user_mail_t though
I can't figure out how.  The problem I'm seeing now though
is from user_mail_t, exim doesn't have permission to wread
its config files.  Do I need to give user_mail_t or
user_mail_domain all the privileges given to sendmail_t in
the sendmail policy?  Also, is user_mail_t an alias for
some other domain.  I'm seeing user_mail_domain in policies
but don't see user_mail_t anywhere save a minor mention
in attrib.te.

Thanks for the suggestions, they were of great help.

Shane

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.