1sendmail_selinux(8)         SELinux Policy sendmail        sendmail_selinux(8)
2
3
4

NAME

6       sendmail_selinux - Security Enhanced Linux Policy for the sendmail pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  sendmail  processes  via  flexible
11       mandatory access control.
12
13       The  sendmail  processes  execute with the sendmail_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep sendmail_t
20
21
22

ENTRYPOINTS

24       The  sendmail_t  SELinux  type  can be entered via the sendmail_exec_t,
25       mta_exec_type file types.
26
27       The default entrypoint paths for the sendmail_t domain are the  follow‐
28       ing:
29
30       /usr/sbin/sendmail(.sendmail)?,     /usr/bin/esmtp,    /usr/sbin/rmail,
31       /usr/sbin/ssmtp,       /usr/lib/sendmail,       /usr/bin/esmtp-wrapper,
32       /var/qmail/bin/sendmail, /usr/sbin/sendmail.postfix
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       sendmail policy is very flexible allowing users to setup their sendmail
42       processes in as secure a method as possible.
43
44       The following process types are defined for sendmail:
45
46       sendmail_t
47
48       Note: semanage permissive -a sendmail_t can be used to make the process
49       type  sendmail_t permissive. SELinux does not deny access to permissive
50       process types, but the AVC (SELinux denials) messages are still  gener‐
51       ated.
52
53

BOOLEANS

55       SELinux  policy  is customizable based on least access required.  send‐
56       mail policy is extremely flexible and has several booleans  that  allow
57       you  to manipulate the policy and run sendmail with the tightest access
58       possible.
59
60
61
62       If you want to allow users to resolve user passwd entries directly from
63       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
64       gin_nsswitch_use_ldap boolean. Disabled by default.
65
66       setsebool -P authlogin_nsswitch_use_ldap 1
67
68
69
70       If you want to allow all domains to execute in fips_mode, you must turn
71       on the fips_mode boolean. Enabled by default.
72
73       setsebool -P fips_mode 1
74
75
76
77       If  you  want  to allow confined applications to run with kerberos, you
78       must turn on the kerberos_enabled boolean. Disabled by default.
79
80       setsebool -P kerberos_enabled 1
81
82
83
84       If you want to allow system to run with  NIS,  you  must  turn  on  the
85       nis_enabled boolean. Disabled by default.
86
87       setsebool -P nis_enabled 1
88
89
90
91       If  you  want to allow confined applications to use nscd shared memory,
92       you must turn on the nscd_use_shm boolean. Disabled by default.
93
94       setsebool -P nscd_use_shm 1
95
96
97

MANAGED FILES

99       The SELinux process type sendmail_t can manage files labeled  with  the
100       following file types.  The paths listed are the default paths for these
101       file types.  Note the processes UID still need to have DAC permissions.
102
103       anon_inodefs_t
104
105
106       cifs_t
107
108
109       dovecot_spool_t
110
111            /var/spool/dovecot(/.*)?
112
113       ecryptfs_t
114
115            /home/[^/]+/.Private(/.*)?
116            /home/[^/]+/.ecryptfs(/.*)?
117
118       etc_aliases_t
119
120            /etc/mail/.*.db
121            /etc/mail/aliases.*
122            /etc/postfix/aliases.*
123            /etc/aliases
124            /etc/aliases.db
125
126       exim_spool_t
127
128            /var/spool/exim[0-9]?(/.*)?
129
130       fusefs_t
131
132            /var/run/user/[^/]*/gvfs
133
134       initrc_tmp_t
135
136
137       mail_home_rw_t
138
139            /root/Maildir(/.*)?
140            /root/.esmtp_queue(/.*)?
141            /var/lib/arpwatch/.esmtp_queue(/.*)?
142            /home/[^/]+/.maildir(/.*)?
143            /home/[^/]+/Maildir(/.*)?
144            /home/[^/]+/.esmtp_queue(/.*)?
145
146       mail_spool_t
147
148            /var/mail(/.*)?
149            /var/spool/imap(/.*)?
150            /var/spool/mail(/.*)?
151            /var/spool/smtpd(/.*)?
152
153       mailman_data_t
154
155            /etc/mailman.*
156            /var/lib/mailman(/.*)?
157            /var/spool/mailman.*
158
159       mqueue_spool_t
160
161            /var/spool/(client)?mqueue(/.*)?
162            /var/spool/mqueue.in(/.*)?
163
164       nfs_t
165
166
167       procmail_tmp_t
168
169
170       sendmail_log_t
171
172            /var/log/mail(/.*)?
173            /var/log/sendmail.st.*
174
175       sendmail_tmp_t
176
177
178       sendmail_var_run_t
179
180            /var/run/sendmail.pid
181            /var/run/sm-client.pid
182
183       user_home_t
184
185            /home/[^/]+/.+
186
187

FILE CONTEXTS

189       SELinux requires files to have an extended attribute to define the file
190       type.
191
192       You can see the context of a file using the -Z option to ls
193
194       Policy  governs  the  access  confined  processes  have to these files.
195       SELinux sendmail policy is very flexible allowing users to setup  their
196       sendmail processes in as secure a method as possible.
197
198       STANDARD FILE CONTEXT
199
200       SELinux  defines the file context types for the sendmail, if you wanted
201       to store files with these types in a diffent paths, you need to execute
202       the  semanage  command  to  sepecify  alternate  labeling  and then use
203       restorecon to put the labels on disk.
204
205       semanage  fcontext  -a  -t   sendmail_var_run_t   '/srv/mysendmail_con‐
206       tent(/.*)?'
207       restorecon -R -v /srv/mysendmail_content
208
209       Note:  SELinux  often  uses  regular expressions to specify labels that
210       match multiple files.
211
212       The following file types are defined for sendmail:
213
214
215
216       sendmail_exec_t
217
218       - Set files with the sendmail_exec_t type, if you want to transition an
219       executable to the sendmail_t domain.
220
221
222       Paths:
223            /usr/sbin/sendmail(.sendmail)?,  /usr/bin/esmtp,  /usr/sbin/rmail,
224            /usr/sbin/ssmtp,    /usr/lib/sendmail,     /usr/bin/esmtp-wrapper,
225            /var/qmail/bin/sendmail, /usr/sbin/sendmail.postfix
226
227
228       sendmail_initrc_exec_t
229
230       -  Set files with the sendmail_initrc_exec_t type, if you want to tran‐
231       sition an executable to the sendmail_initrc_t domain.
232
233
234
235       sendmail_keytab_t
236
237       - Set files with the sendmail_keytab_t type, if you want to  treat  the
238       files as kerberos keytab files.
239
240
241
242       sendmail_log_t
243
244       - Set files with the sendmail_log_t type, if you want to treat the data
245       as sendmail log data, usually stored under the /var/log directory.
246
247
248       Paths:
249            /var/log/mail(/.*)?, /var/log/sendmail.st.*
250
251
252       sendmail_tmp_t
253
254       - Set files with the sendmail_tmp_t type, if you want to store sendmail
255       temporary files in the /tmp directories.
256
257
258
259       sendmail_var_run_t
260
261       -  Set files with the sendmail_var_run_t type, if you want to store the
262       sendmail files under the /run or /var/run directory.
263
264
265       Paths:
266            /var/run/sendmail.pid, /var/run/sm-client.pid
267
268
269       Note: File context can be temporarily modified with the chcon  command.
270       If  you want to permanently change the file context you need to use the
271       semanage fcontext command.  This will modify the SELinux labeling data‐
272       base.  You will need to use restorecon to apply the labels.
273
274

COMMANDS

276       semanage  fcontext  can also be used to manipulate default file context
277       mappings.
278
279       semanage permissive can also be used to manipulate  whether  or  not  a
280       process type is permissive.
281
282       semanage  module can also be used to enable/disable/install/remove pol‐
283       icy modules.
284
285       semanage boolean can also be used to manipulate the booleans
286
287
288       system-config-selinux is a GUI tool available to customize SELinux pol‐
289       icy settings.
290
291

AUTHOR

293       This manual page was auto-generated using sepolicy manpage .
294
295

SEE ALSO

297       selinux(8),  sendmail(8),  semanage(8), restorecon(8), chcon(1), sepol‐
298       icy(8), setsebool(8)
299
300
301
302sendmail                           19-12-02                sendmail_selinux(8)
Impressum