procmail

[Paul Howarth]

Christopher J. PeBenito wrote:
> On Fri, 2006-04-21 at 11:02 +0100, Paul Howarth wrote:
>> Paul Howarth wrote:
> 
>> module procmail 0.1;
>>
>> require {
> [cut]
>>          class dir { add_name getattr read remove_name search write };
>>          class file { append create execute execute_no_trans getattr ioctl lock read rename unlink write };
>>          class lnk_file read;
>>          class process { noatsecure sigchld siginh transition rlimitinh };
>>          class fd { use };
>>          class fifo_file { getattr read write append ioctl lock };
> [cut]
>> This does seem to work but surely there's a tidier way of handling those 
>> class requirements? What am I missing?
> 
> You want to use the "policy_module(procmail,0.1)" macro instead of the
> module statement at the top.  It adds all of the kernel object classes,
> so you don't have to write them all out.

Thanks, that's much better:

policy_module(procmail, 0.2)

require {
	type procmail_t;
	type sbin_t;
	type var_log_t;
};

# Needed for writing to /var/log/procmail.log
allow procmail_t var_log_t:dir search;
allow procmail_t var_log_t:file append;

# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================
# This should be in selinux-policy-2.2.34-2 onwards

# Read alternatives link
allow procmail_t sbin_t:lnk_file read;

# Allow transition to sendmail
# (may need similar code for other MTAs that can replace sendmail)
optional_policy(`sendmail',`
	sendmail_domtrans(procmail_t)
')




Cheers, Paul.