postfix policy question

All of lore.kernel.org
 help / color / mirror / Atom feed

From: petre rodan <kaiowas@gentoo.org>
To: selinux@tycho.nsa.gov
Subject: postfix policy question
Date: Thu, 07 Oct 2004 12:24:43 +0300	[thread overview]
Message-ID: <41650B5B.5000903@gentoo.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 1107 bytes --]


Hi!

from postconf(1):
The  postconf command prints the actual value of parameter (all known parameters by
default) one parameter per line, changes its value,  or  prints  other  information
about the Postfix mail system.

so sysadm_t should be able to exec this binary, regardless of the 'direct_sysadm_daemon' status

postconf is currently labeled postfix_master_exec_t, so would it be ok to add the following to the policy?:

  ifdef(`direct_sysadm_daemon', `
  domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
  allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
  role_transition sysadm_r postfix_master_exec_t system_r;
  domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
  allow system_mail_t sysadm_t:process sigchld;
  allow system_mail_t privfd:fd use;
  ' ,`
+allow sysadm_t postfix_master_exec_t:file { execute execute_no_trans getattr read };
  ')dnl end direct_sysadm_daemon

I'm not at all sure about this one, please don't shoot the messenger.

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

next             reply	other threads:[~2004-10-07  9:23 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-10-07  9:24 petre rodan [this message]
2004-10-11  5:41 ` postfix policy question Russell Coker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41650B5B.5000903@gentoo.org \
    --to=kaiowas@gentoo.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.