I have Postfix running on CentOS 6 with SELinux in enforcing targeted
mode. By default, SELinux will block the following two components of
my system:
* A custom smtpd instance listening on the loopback interface on port 10025
* Using Postfix virtual as the delivery agent to maildirs that are not
under the normal local /var/spool/mail
I'm not a SELinux expert, so I wanted to ask if anyone here has a
critique of how I configured SELinux to work. For the non-standard
maildir location, I copied the context of /var/spool/mail like this:
chcon -R -u system_u -r object_r -t mail_spool_t /var/userdata/mail
>From what I understand, this will work unless contexts are rebuilt.
We don't plan to rebuild, but to be safe I'd rather create a SELinux
policy that dictates this location should have the same context as the
system mail spool. Does anyone have a .te file example for doing
that?
For the custom port, I used this to create a new policy module (of
course it has to be compiled and installed), which seems to be all I
need(?)
__________
module postfixport 1.0;
require {
type postfix_master_t;
type port_t;
class tcp_socket name_bind;
}
#============= postfix_master_t ==============
#!!!! This avc can be allowed using the boolean allow_ypbind
allow postfix_master_t port_t:tcp_socket name_bind;
