Tired of ads? Upgrade to paid account and never see ads again!


Dan Walsh's Blog

Got SELinux?

Previous Entry Share Next Entry
Sharing files between two confined domains.
Sebastian Hennebrueder asks:

Postfix and dovecot shares the certicates.  I solved the problem in a way that I copied the certificates and set the corresponding context. I don't like this approach. Alternatively  I can use the normal audit2allow approach to allow postfix access to dovecot or vice versa but I would like not to give them this right. The best solution is to create a new context which can be accessed by both domains.  With the new module approach, how do I start to write a new context type? It is probably simple but I don't find the way to start by reading the documentation on the net.

It is fairly simple to build a custom policy module. This is what I would do:

create a file called mypostfix_dovecot.te

policy_module(mypostfix_dovecot, 1.0)

                     type postfix_t, dovecot_t;

type postfix_dovecot_cert_t;

read_files_pattern(postfix_t, postfix_dovecot_cert_t, postfix_dovecot_cert_t)
read_files_pattern(dovecot_t, postfix_dovecot_cert_t, postfix_dovecot_cert_t)

Now you can create a mypostfix_dovecot.fc or just use semange fcontext to assign the mapping to the path

/etc/pki/mycerts(/.*)?             gen_context(system_u:object_r:postfix_dovecot_cert_t,s0)

Now compile them up

# make -f /usr/share/selinux/devel/Makefile

Install it

# semodule -i mypostfix_dovecot.pp

Fix the labeling

# restorecon -R -v /etc/pki/mycerts

You are done.   You can copy and install the pp file to any machines that you want this policy on, and the changes will be permanent, if you need additional access you can change or add interfaces to the te file.

If you later want to remove you policy package

# semodule -r mypostfix_dovecot

Fix the file context

# restorecon -R -v /etc/pki/mycerts

No HTML allowed in subject


(will be screened)

You are viewing danwalsh