Chris PeBenito <[EMAIL PROTECTED]> a écrit :

On Mon, 2007-08-27 at 15:25 +0200, [EMAIL PROTECTED] wrote:
I have noticed that per default the salsauthd daemon is allowded to
answers to every nodes on the world, as the network rules are
      corenet_tcp_sendrecv_all_if(saslauthd_t)
      corenet_tcp_sendrecv_all_nodes(saslauthd_t).

However, I want to optimize this in order to provide a deeper control with
[...]
         corenet_tcp_sendrecv_lo_if(saslauthd_t)
         corenet_tcp_sendrecv_all_nodes(saslauthd_t)


The compilation works well but I have a problem at the qmerge step :
the lo_netif_t dependance can not be solved. Why is this though
internel modules (namely kernel/corenetwork.if) used these macros ?

lo_netif_t is not defined in the policy.  You would have to declare it
in your local policy and then semanage to label the interface.

In fact, that's what I tried but I miss a point : what do you mean by 'label the interface' ? I try to find any lo interface but nothing. The same for others interfaces (ethX). I can not find any netif_type labelled device on my system so I think that I do not really understand this point.


BTW, the .fc file is not well suited fot the postfix-sasl install.
la /var/lib give me
drwxr-xr-x  root root    system_u:object_r:var_lib_t      sasl2

though it should be saslauthd_var_run_t (maybe a change of directory
for the saslauth project ? )
cd /var/lib
chcon -t saslauthd_var_run_t sasl2/ sasl2/* -R

Does it fail without this fix?


In fact yse because saslauthd try to acess var_lib_t labelled object. So these
modifications have to be performed in order to prevent AVC messages (but I have not checked weither it blocked the salsauth daemon runs or not).

Julien Thomas
--
Chris PeBenito
<[EMAIL PROTECTED]>
Developer,
Hardened Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243




--
[EMAIL PROTECTED] mailing list

Reply via email to