Wietse -
I know a little about SELinux. This is me:
https://www.youtube.com/watch?v=_WOKRaM-HI4 (Security-Enhanced Linux for
mere mortals on the Red Hat Summit YouTube channel).
If you (or anyone) is running into SELinux problems, I am more than
happy to facilitate any bug reports (think adding files to the SELinux
policy), or remediation (think help with building exceptions or policy
modules).
Feel free to reach out to me at work at tho...@redhat.com or on this list.
Thanks,
Thomas
On 1/29/25 10:11 AM, Wietse Venema via Postfix-users wrote:
There are more than a few places in the file system where Postfix
meets the non-Postfix world. This is what I came up with in a few
minutes.
- Pathnames in $forward_path (pathnames for .forward files for UNIX
system accounts). These are accessed while impersonating a recipient.
- Pathnames, commands, and :include:/file/name directives in
$alias_maps lookup results and in .forward files. These are accessed
while impersonating a recipient, the owner of an alias table, or
with $default_privs. **Some of this information is controlled by a
user.**
- Pathnames in $mail_spool_directory. These are accessed while
impersonating a recipient or with $default_privs.
- Pathname $maillog_file. This is opened as root, written as
$mail_owner.
- Pathnames in $virtual_mailbox_maps lookup results. These are
accessed while impersonating a recipient.
I could add a disclaimer for each of these, but who would it help?
For the skilled admin it's stating the obvious, and for the unskilled,
it is just another piece of information overload.
The real problem is with 'security' systems that don't report what
they are doing (perhaps out of arrogance: if you don't know why X
is blocked then you are not worthy of knowing that).
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
