[CentOS] selinux & httpd & portmap

Fri Aug 1 18:43:00 UTC 2008
Toby Bluhm <tkb at midwestinstruments.com>

Just to follow up with a summary on this . . .

Followed the email HowTo on the Centos wiki by installing postfix, 
dovecot, postgrey, amavisd and setting up SSL/TLS.

Set selinux to permissive, targeted.

Sent many, many emails with attachments, spam, etc. to & from the box.

Removed previous selinux entries from audit.log.

The new policy was extracted with
   cat new_audit.log|audit2allow -m local

module local 1.0;

require {
         type traceroute_port_t;
         type amavis_t;
         type postfix_spool_t;
         type clamd_t;
         type amavis_var_lib_t;
         type sysctl_kernel_t;
         type var_t;
         type postfix_smtpd_t;
         type initrc_t;
         type proc_t;
         class unix_stream_socket connectto;
         class file { read getattr };
         class sock_file write;
         class lnk_file { read create unlink getattr };
         class udp_socket name_bind;
         class dir { read search };

#============= amavis_t ==============
allow amavis_t amavis_var_lib_t:lnk_file { read create unlink getattr };
allow amavis_t traceroute_port_t:udp_socket name_bind;

#============= clamd_t ==============
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
allow clamd_t var_t:dir read;
allow clamd_t var_t:file { read getattr };

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;
allow postfix_smtpd_t postfix_spool_t:sock_file write;

Put the policy into effect with
   cat new_audit.log|audit2allow -M local
   semodule -i local.pp

Ran through all the same email tests.

selinux has not complained - yet.

Toby Bluhm
Alltech Medical Systems America, Inc.