procmail vs amanda selinux hits

Paul Howarth paul at city-fan.org
Wed Jan 16 15:51:37 UTC 2008 

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Gene Heskett wrote:
>> Greetings;
>>
>> At about the time the backup program amanda is due to send me an email, I'm 
>> getting popups from selinux.
>>
>> Amanda is at times trying to send the user gene an email, some of which I do 
>> get, but:
>>
>> >From setroubleshoot:
>> SUMMARY
>> SELinux is preventing /usr/bin/procmail (procmail_t) "search" to (var_log_t).

On a related matter, I sometimes like to use a system-wide procmail 
script (/etc/procmailrc) and have system-wide procmail logs to go with 
that, which can be done by putting in /etc/procmailrc something like:

LOGFILE=/var/log/procmail.log
or
LOGFILE=/var/log/procmail/$LOGNAME

Current policy doesn't cater for this, so I added:

::::::::::::::
myprocmail.te
::::::::::::::
policy_module(myprocmail, 0.5.6)

require {
         type procmail_t;
         type sendmail_t;
};

# log files
type procmail_log_t;
logging_log_file(procmail_log_t)

# Write log to /var/log/procmail.log or /var/log/procmail/.*
allow procmail_t procmail_log_t:dir setattr;
create_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
append_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
read_lnk_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
logging_log_filetrans(procmail_t,procmail_log_t, { file dir })

# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================

# Read alternatives link (still not in policy?)
corecmd_read_bin_symlinks(procmail_t)

# Procmail occasionally signals sendmail, e.g. when it times out during 
forwarding
sendmail_signal(procmail_t)

::::::::::::::
myprocmail.fc
::::::::::::::
/var/log/procmail\.log  -- 
gen_context(system_u:object_r:procmail_log_t,s0)
/var/log/procmail(/.*)? 
gen_context(system_u:object_r:procmail_log_t,s0)





The last bits of policy are things I've had locally for a couple of 
Fedora releases now; not sure if they're in current policy but I think 
they should be.

Cheers, Paul.

More information about the fedora-selinux-list mailing list