From: Shane Wegner <shane-keyword-selinux.9d5a25@cm.nu>
To: selinux@tycho.nsa.gov
Cc: Russell Coker <russell@coker.com.au>
Subject: Re: Domain Transitions (or the Exim4 policy)
Date: Fri, 19 Dec 2003 10:03:26 -0800 [thread overview]
Message-ID: <20031219180326.GA23288@cm.nu> (raw)
In-Reply-To: <200312191859.56996.russell@coker.com.au>
On Fri, Dec 19, 2003 at 06:59:56PM +1100, Russell Coker wrote:
> On Fri, 19 Dec 2003 18:09, Shane Wegner <shane-dated-1074409746.778e04@cm.nu>
> wrote:
> > On Fri, Dec 19, 2003 at 04:47:45PM +1100, Russell Coker wrote:
> > > Why did you change it to exim4_t? It seems to me that as exim and
> > > sendmail operate in the same manner it would be better to have a single
> > > policy to use for them both. This will make it easier to maintain the
> > > policy.
> >
> > Point taken. Exim does seem to use a slightly different
> > capability set and needs some modified permissions but
> > they're trivial changes.
>
> Send me a list.
>
> I think that possibly the solution to this is to have sendmail.te and exim.te
> both instantiate a common macro for 99% of the policy.
Ok, differences I can spot are:
Exim needs only read access to sendmail_conf_t it its case
/etc/exim4 and /var/lib/exim4
Init scripts need write access to /var/lib/exim4 as the
main config file automatically gets generated from
fragments on startup/reload.
Needs read access to /dev/urandom
Needs append-only access to sendmail_log_t In exim's case,
it's a directory (/var/log/exim4).
Needs complete access to sendmail_mqueue_t including
mkdir/rmdir/file locking etc. That's exim's playground.
Needs read access to /home or /home/(^/+)/.procmailrc. The
procmail filter checks for the existance of a user's
.procmailrc file which is how it decides whether to use
procmail as the delivery agent or if not found, it delivers
to the mail spool directly. I suppose it'd also need
$HOME/.forward etc.
Capabilities Exim uses which the sendmail.te doesn't
currently allow: dac_override fowner sys_resource.
Sendmail allows sys_nice and sys_tty_config which Exim does
not appear to use. Exim also needs a line similar to:
allow sendmail_t self:process setpgid;
Best,
Shane
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2003-12-19 18:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-19 2:45 Domain Transitions (or the Exim4 policy) Shane Wegner
2003-12-19 5:47 ` Russell Coker
2003-12-19 7:09 ` Shane Wegner
2003-12-19 7:59 ` Russell Coker
2003-12-19 18:03 ` Shane Wegner [this message]
2003-12-19 14:59 ` David A. Caplan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20031219180326.GA23288@cm.nu \
--to=shane-keyword-selinux.9d5a25@cm.nu \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.