[Mimedefang] Socket paths

[Josh Kelley]

On 2/23/07, David F. Skoll <dfs at roaringpenguin.com> wrote:
> Still, to each his own I guess.  Back to the OP's point:  I feel your
> pain with SELinux.  SELinux is one of those "great-in-theory,
> horrible-in-practice" bits of software.  Given the absurd complexity
> of setting up SELinux policies, I'm not sure that it actually improves
> security that much.  Can you *prove* that your SELinux policy does
> exactly what you need (and only what you need?)  A simpler system
> like Stackguard probably buys you 95% of SELinux's security at 5% of its
> complexity.

I guess that hasn't really been my experience with SELinux.  I can't
*prove* that it does exactly what I need, but I figure there's a lot
of smart folks working on it trying to see that it does, and I know
that it provides some level of protection even if it doesn't do
exactly what I need.  It can be a pain in the neck when it doesn't
work, but for a lot of services, it "just works", and it's usually not
hard to disable for the services for which it doesn't work.

I guess that's why I brought it up here; I'd like to see MIMEDefang
made to "just work" if it's not too much trouble.  Since Red Hat does
seem to be pushing SELinux, could MIMEDefang's redhat/* files be
modified to put the sockets under a new defang-writable
/var/run/mimedefang directory, following Steffen Kaiser's suggestion?

(Has anyone else run into SELinux problems with MIMEDefang?
Specifically, if I make /var/spool/MIMEDefang a tmpfs, as the wiki
suggests, it's labeled with a tmpfs security context, and an RPM
upgrade of MIMEDefang then fails when it tries to apply a different
security context.  /var/spool/MIMEDefang can be mounted with a fixed
security context to work around that, but then socket creation doesn't
work right, hence my original question.)

Thanks.

Josh Kelley