[exim-dev] Exim and SELinux

Pàgina inicial
Delete this message
Reply to this message
Autor: David Woodhouse
Data:  
A: russell, walters
CC: exim-dev, selinux
Assumpte: [exim-dev] Exim and SELinux
In a message for which marc.theaimsgroup.com ate the Message-ID, Russell
wrote:
> For the most desirable support of Exim we need some minor changes to the way
> it works. I have spoken to the author about this and he has a positive
> attitude towards this, all that is necessary is for me (or someone else) to
> write some patches, test them, and send them to him.
>
> Once we get Exim working the way we desire doing the policy will be easy.
>
> What we want is to have different parts of Exim running in different domains.
> Exim is comprised of a single program that performs multiple tasks, but it
> re-exec's itself for each task. I think that the best way to do this is to
> have (for non-SE systems) multiple hard links to the main executable and have
> it use different names for each exec call. This just takes up a few extra
> directory entries on a non-SE system and has no noticeable overhead.


AFAICT there's only really two at the moment -- there's the unprivileged
mode where we only really need access to the spool directory, and the
mode we use for delivery, where we need to be able to write to users'
files. At http://david.woodhou.se/exim-4.50-selinux.patch there's a
patch which attempts to do this. If there are more personalities which I
should have distinguished between, we can fix that. Do we need a
separate binary to have privileges to listen on port 25?

> For a SE system we could have small wrapper programs (a few K in size - they
> would provide little overhead) that just exec the main executable. So when a
> new Exim task is launched it would exec the appropriate name which would
> trigger a domain transition, that new domain would then execute the main
> program to do the work.


For the moment I just hard-linked it. There's an patched version of the
current Fedora RPM called exim-4.50-2.selinux.{src,ppc,i386}.rpm in the
same location as above.

> This way Exim itself need know nothing about SE Linux, but we can get all the
> functionality we want.
>
> I believe that this would probably be acceptable to the author. In a month or
> so I may have time to code this. If someone else makes an appropriate patch
> to Exim I'll write the SE Linux policy immediately.


Let me know if you need anything more.

--
dwmw2