Configuration of global procmail

Todd Zullinger tmz at pobox.com
Wed Jul 18 05:00:31 UTC 2007


Wojciech Komornicki wrote:
> Thanks for the quick response.

You're welcome.

> I am running Fedora 5 and not 7 but I do not think that should make
> a difference.

For the most part, no.  Though if it is an selinux issue, it's
possible that the policy was improved in later versions.  Also, FC5
is no longer maintained. :)

> From the audit.log file it seems that procmail is failing on a call
> to getattr
>
> Jul 17 11:19:21 kernel: audit(1184689161.358:29353): avc:  denied  {getattr } for  pid=29579 comm=procmail name="wk" dev=dm-0 ino=14091670 scontext=root:system_r:procmail_t tcontext=root:object_r:var_spool_t tclass=file
> 
> I have encountered this before when a utility tries to get the
> attributes of a non-existent file.   I did not have a
> /etc/procmailrc file so I got one off of the web.
> 
>      # Please check if all the paths in PATH are reachable, remove the ones that
>      # are not.
> 
>      PATH=/usr/bin:/bin:/usr/local/bin:.
>      MAILDIR=$HOME/Mail        # You'd better make sure it exists
>      DEFAULT=$MAILDIR/mbox
>      LOGFILE=$MAILDIR/from
>      LOCKFILE=$HOME/.lockmail
> 
> 
>      # Anything that has not been delivered by now will go to $DEFAULT
>      # using LOCKFILE=$DEFAULT$LOCKEXT
>
> Now procmail does not fail but delivers mail to the users mbox.  If
> I omit the variable DEFAULT, procmail fails.  If I change it to
>      DEFAULT=/var/mail/$LOGNAME
> procmail failes
>
> So now procmail does not fail but does not deliver to the system
> mailbox but to the user's MAILDIR.
> 
> BTW: I am testing this out on an account I set up with not
> .procmailrc file.

You can see if it's an selinux issue by disabling selinux temporarily:

# setenforce 0

If things work then, you'll want to look carefully at the audit log.
The audit2why and audit2allow tools can be helpful here.

I'm still not sure why you need to run your own procmail instead of
the packaged version that ships with FC5.  The default selinux policy
may well allow things to work with the non-set{u,g}id procmail, if it
really is an selinux issue.

If it is selinux, you might want to search the archives of the
fedora-selinux-list.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Any sufficiently advanced technology is indistinguishable from a
rigged demo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20070718/225cdab7/attachment-0001.sig>


More information about the fedora-list mailing list