procmail
Paul Howarth
paul at city-fan.org
Fri Apr 21 13:24:55 UTC 2006
Christopher J. PeBenito wrote:
> On Fri, 2006-04-21 at 11:02 +0100, Paul Howarth wrote:
>> Paul Howarth wrote:
>
>> module procmail 0.1;
>>
>> require {
> [cut]
>> class dir { add_name getattr read remove_name search write };
>> class file { append create execute execute_no_trans getattr ioctl lock read rename unlink write };
>> class lnk_file read;
>> class process { noatsecure sigchld siginh transition rlimitinh };
>> class fd { use };
>> class fifo_file { getattr read write append ioctl lock };
> [cut]
>> This does seem to work but surely there's a tidier way of handling those
>> class requirements? What am I missing?
>
> You want to use the "policy_module(procmail,0.1)" macro instead of the
> module statement at the top. It adds all of the kernel object classes,
> so you don't have to write them all out.
Thanks, that's much better:
policy_module(procmail, 0.2)
require {
type procmail_t;
type sbin_t;
type var_log_t;
};
# Needed for writing to /var/log/procmail.log
allow procmail_t var_log_t:dir search;
allow procmail_t var_log_t:file append;
# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================
# This should be in selinux-policy-2.2.34-2 onwards
# Read alternatives link
allow procmail_t sbin_t:lnk_file read;
# Allow transition to sendmail
# (may need similar code for other MTAs that can replace sendmail)
optional_policy(`sendmail',`
sendmail_domtrans(procmail_t)
')
Cheers, Paul.
More information about the fedora-selinux-list
mailing list