Zarafa Selinux policy

From Zarafa wiki

(Difference between revisions)
Jump to: navigation, search
 
Line 4: Line 4:
<pre>
<pre>
-
module zarafa 1.0;
+
module zarafa 1.1;
require {
require {
type var_run_t;
type var_run_t;
-
type tmp_t;
+
type postfix_postdrop_t;
type httpd_t;
type httpd_t;
type postfix_pipe_t;
type postfix_pipe_t;
Line 14: Line 14:
class sock_file write;
class sock_file write;
class unix_stream_socket connectto;
class unix_stream_socket connectto;
-
class dir { write remove_name search add_name };
+
class fifo_file { write getattr };
-
class file { rename write getattr read create unlink append };
+
}
}
Line 24: Line 23:
#============= postfix_pipe_t ==============
#============= postfix_pipe_t ==============
allow postfix_pipe_t initrc_t:unix_stream_socket connectto;
allow postfix_pipe_t initrc_t:unix_stream_socket connectto;
-
allow postfix_pipe_t tmp_t:dir { write remove_name search add_name };
 
-
allow postfix_pipe_t tmp_t:file { rename write getattr read create unlink append };
 
allow postfix_pipe_t var_run_t:sock_file write;
allow postfix_pipe_t var_run_t:sock_file write;
 +
 +
#============= postfix_postdrop_t ==============
 +
allow postfix_postdrop_t initrc_t:fifo_file { write getattr };
</pre>
</pre>

Latest revision as of 19:36, 22 January 2011

To create a Selinux policy for Zarafa, please follow these steps.

  • Create a file zarafa.te with the following lines:
module zarafa 1.1;

require {
	type var_run_t;
	type postfix_postdrop_t;
	type httpd_t;
	type postfix_pipe_t;
	type initrc_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class fifo_file { write getattr };
}

#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;

#============= postfix_pipe_t ==============
allow postfix_pipe_t initrc_t:unix_stream_socket connectto;
allow postfix_pipe_t var_run_t:sock_file write;

#============= postfix_postdrop_t ==============
allow postfix_postdrop_t initrc_t:fifo_file { write getattr };


  • Compile the Selinux policy with command: checkmodule -M -m -o zarafa.mod zarafa.te


  • Packade the policy with command: semodule_package -o zarafa.pp -m zarafa.mod


  • Copy the zarafa.pp policy file to the directory: /etc/selinux/targeted/modules/active/modules


  • Now you can load the policy with the command: semodule -vi /etc/selinux/targeted/modules/active/modules/zarafa.pp

To check if the policy is loaded, you can use semodule -l

Personal tools