postfix, procmail and SELinux - No Go

Mon Jun 19 20:34:05 UTC 2006

On Mon, 2006-06-19 at 21:13 +0100, Paul Howarth wrote:
> On Mon, 2006-06-19 at 15:07 -0500, Marc Schwartz (via MN) wrote:
> > On Mon, 2006-06-12 at 17:40 +0100, Paul Howarth wrote:
> > > At this point it might be worth trying to remove some of the "strange" 
> > > policy items, such as:
> > > 
> > > allow postfix_master_t man_t:file getattr;
> > > 
> > > and see what, if anything fails. By doing this we might get some insight 
> > > into what is actually happening, or if nothing breaks, we could 
> > > dontaudit it instead of allowing it.
> > > 
> > > Paul.
> > 
> > 
> > Paul,
> > 
> > Apologies for the delay in my reply, as I was traveling (Vienna,
> > Austria) all of last week and got back late yesterday. My schedule there
> > ended up being busier than I expected and did not have a chance to get
> > to this.
> > 
> > I tried to make the above modification to mypostfix.te, however when
> > going back to build all of the policy modules, I now get an error:
> > 
> > Compiling targeted procmail module
> > /usr/bin/checkmodule:  loading policy configuration from
> > tmp/procmail.tmp
> > procmail.te:41:ERROR 'syntax error' at token 'clamscan_domtrans' on line
> > 57484:
> > clamscan_domtrans(procmail_t)
> > # ==============================================
> > /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> > make: *** [tmp/procmail.mod] Error 1
> > 
> > 
> > Line 41 in procmail.te (as noted above) is:
> > 
> > clamscan_domtrans(procmail_t)
> > 
> > 
> > This error occurs even without the modification to mypostfix.te, so I am
> > unclear as to what happened since the last time I was able to build them
> > all.
> > 
> > I plead jet lag here and suspect that you might rapidly recognize what
> > is happening and have an easy fix. If you need me to check some files,
> > let me know.
> 
> The interface name has changed in a recent selinux-policy update. New
> procmail.te:
> 
> policy_module(procmail, 0.5.3)
> 
> require {
>         type procmail_t;
>         type sendmail_t;
> };
> 
> # temp files
> type procmail_tmp_t;
> files_tmp_file(procmail_tmp_t)
> 
> # log files
> type procmail_var_log_t;
> logging_log_file(procmail_var_log_t)
> 
> # Write log to /var/log/procmail.log
> allow procmail_t procmail_var_log_t:file create_file_perms;
> allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr };
> logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })
> 
> # Allow programs called from procmail to read/write temp files and dirs
> allow procmail_t procmail_tmp_t:dir create_dir_perms;
> allow procmail_t procmail_tmp_t:file create_file_perms;
> files_type(procmail_tmp_t)
> files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })
> 
> # Hide uninteresting things when debugging using enableaudit.pp
> mta_dontaudit_rw_queue(procmail_t)
> 
> # ==============================================
> # Procmail needs to call sendmail for forwarding
> # ==============================================
> 
> # Read alternatives link (still not in policy)
> corecmd_read_sbin_symlinks(procmail_t)
> 
> # Procmail occasionally signals sendmail, e.g. when it times out during
> forwarding
> allow procmail_t sendmail_t:process signal;
> 
> # Allow transition to sendmail
> # This is in selinux-policy-2.2.34-2 onwards
> # (may need similar code for other MTAs that can replace sendmail)
> # sendmail_domtrans(procmail_t)
> 
> # ==============================================
> # Procmail needs to be able to call clamassassin
> # ==============================================
> clamav_domtrans_clamscan(procmail_t)

Thanks Paul!

OK, so the building goes OK, but now when I try to install the modules,
I get the following error:

# /usr/sbin/semodule -i procmail.pp
libsepol.class_copy_callback: procmail: Modules may not yet declare new classes.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule:  Failed!

This occurs with each of the 5 modules.

Due to the recent change as well or is there something else that I need
to do before installing the new module(s)?

Thanks,

Marc