Re: default MTA for sarge

To: Martijn van Oosterhout <kleptog@svana.org>
Cc: debian-devel@lists.debian.org
Subject: Re: default MTA for sarge
From: Russell Coker <russell@coker.com.au>
Date: Thu, 17 Jul 2003 09:52:35 +1000
Message-id: <[🔎] 200307170952.35602.russell@coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20030716232952.GB18631@svana.org>
References: <[🔎] 20030713083151.GA12971@dragon.kitenet.net> <[🔎] 200307170104.43654.russell@coker.com.au> <[🔎] 20030716232952.GB18631@svana.org>

On Thu, 17 Jul 2003 09:29, Martijn van Oosterhout wrote:
> On Thu, Jul 17, 2003 at 01:04:43AM +1000, Russell Coker wrote:
> > Normally a daemon never runs any program in a role other than "system_r",
> > and domain transitions only happen at exec time.  This is why we can have
> > different domains for different parts of Postfix but not for different
> > parts of Sendmail.  If Sendmail was to exec() itself at various
> > milestones in the delivery of a message then things would be different.
>
> Interesting. Can SE Linux assign different roles depending on command line
> arguments (serious question, I haven't looked too much into SE Linux)? The

I presume you are asking if it can do the following:
# ls /tmp   -> security context A
# ls /dev   -> security context B

The answer is no.

However you can configure it to permit an application to choose to execute an 
program in another context.  So an application can call execve_secure() and 
tell it which is the desired security context for the new program to run in.

> reason I'm asking is that Exim does in fact re-exec() itself regularly. In
> that way the parsing of message is seperate from the actual delivery.

In that case it should not be difficult to patch it to read a config file for 
the security context of each process it exec's and then use the 
execve_secure() to have it run in such a context.

NB  A "role" is a set of domains that are permitted.  Changing roles is only 
done through login programs and through the "newrole" program.  It's only 
daemons such as sshd that are permitted to change role.

Domain changes are routine, and may occur automatically when executing another 
program.  If exim has a fixed set of executions of itself then something like 
the following could be done:
domain_auto_trans(sendmail_t, sendmail_exec_t, exim_stage2_t)
domain_auto_trans(exim_stage2_t, sendmail_exec_t, exim_stage3_t)
domain_auto_trans(exim_stage3_t, sendmail_exec_t, exim_stage4_t)

Therefore each stage in the Exim pipeline would get a different domain with 
different levels of access (sendmail_exec_t is the type of the binary on 
disk, the other parameters are domains).

Of course this relies on Exim having a fixed N stage pipeline for mail 
delivery, but I'm sure that's not the case.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

References:
- default MTA for sarge
  - From: Joey Hess <joeyh@debian.org>
- Re: default MTA for sarge
  - From: Russell Coker <russell@coker.com.au>
- Re: default MTA for sarge
  - From: Martijn van Oosterhout <kleptog@svana.org>

Prev by Date: Re: default MTA for sarge
Next by Date: Re: default MTA for sarge
Previous by thread: Re: default MTA for sarge
Next by thread: Re: default MTA for sarge
Index(es):
- Date
- Thread