[Mimedefang] Socket paths
Josh Kelley
joshkel at gmail.com
Fri Feb 23 16:42:26 EST 2007
On 2/23/07, David F. Skoll <dfs at roaringpenguin.com> wrote:
> Still, to each his own I guess. Back to the OP's point: I feel your
> pain with SELinux. SELinux is one of those "great-in-theory,
> horrible-in-practice" bits of software. Given the absurd complexity
> of setting up SELinux policies, I'm not sure that it actually improves
> security that much. Can you *prove* that your SELinux policy does
> exactly what you need (and only what you need?) A simpler system
> like Stackguard probably buys you 95% of SELinux's security at 5% of its
> complexity.
I guess that hasn't really been my experience with SELinux. I can't
*prove* that it does exactly what I need, but I figure there's a lot
of smart folks working on it trying to see that it does, and I know
that it provides some level of protection even if it doesn't do
exactly what I need. It can be a pain in the neck when it doesn't
work, but for a lot of services, it "just works", and it's usually not
hard to disable for the services for which it doesn't work.
I guess that's why I brought it up here; I'd like to see MIMEDefang
made to "just work" if it's not too much trouble. Since Red Hat does
seem to be pushing SELinux, could MIMEDefang's redhat/* files be
modified to put the sockets under a new defang-writable
/var/run/mimedefang directory, following Steffen Kaiser's suggestion?
(Has anyone else run into SELinux problems with MIMEDefang?
Specifically, if I make /var/spool/MIMEDefang a tmpfs, as the wiki
suggests, it's labeled with a tmpfs security context, and an RPM
upgrade of MIMEDefang then fails when it tries to apply a different
security context. /var/spool/MIMEDefang can be mounted with a fixed
security context to work around that, but then socket creation doesn't
work right, hence my original question.)
Thanks.
Josh Kelley
More information about the MIMEDefang
mailing list