postfix, procmail and SELinux - No Go

Mon Jun 19 20:13:09 UTC 2006

On Mon, 2006-06-19 at 15:07 -0500, Marc Schwartz (via MN) wrote:
> On Mon, 2006-06-12 at 17:40 +0100, Paul Howarth wrote:
> > At this point it might be worth trying to remove some of the "strange" 
> > policy items, such as:
> > 
> > allow postfix_master_t man_t:file getattr;
> > 
> > and see what, if anything fails. By doing this we might get some insight 
> > into what is actually happening, or if nothing breaks, we could 
> > dontaudit it instead of allowing it.
> > 
> > Paul.
> 
> 
> Paul,
> 
> Apologies for the delay in my reply, as I was traveling (Vienna,
> Austria) all of last week and got back late yesterday. My schedule there
> ended up being busier than I expected and did not have a chance to get
> to this.
> 
> I tried to make the above modification to mypostfix.te, however when
> going back to build all of the policy modules, I now get an error:
> 
> Compiling targeted procmail module
> /usr/bin/checkmodule:  loading policy configuration from
> tmp/procmail.tmp
> procmail.te:41:ERROR 'syntax error' at token 'clamscan_domtrans' on line
> 57484:
> clamscan_domtrans(procmail_t)
> # ==============================================
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/procmail.mod] Error 1
> 
> 
> Line 41 in procmail.te (as noted above) is:
> 
> clamscan_domtrans(procmail_t)
> 
> 
> This error occurs even without the modification to mypostfix.te, so I am
> unclear as to what happened since the last time I was able to build them
> all.
> 
> I plead jet lag here and suspect that you might rapidly recognize what
> is happening and have an easy fix. If you need me to check some files,
> let me know.

The interface name has changed in a recent selinux-policy update. New
procmail.te:

policy_module(procmail, 0.5.3)

require {
        type procmail_t;
        type sendmail_t;
};

# temp files
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)

# log files
type procmail_var_log_t;
logging_log_file(procmail_var_log_t)

# Write log to /var/log/procmail.log
allow procmail_t procmail_var_log_t:file create_file_perms;
allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })

# Allow programs called from procmail to read/write temp files and dirs
allow procmail_t procmail_tmp_t:dir create_dir_perms;
allow procmail_t procmail_tmp_t:file create_file_perms;
files_type(procmail_tmp_t)
files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })

# Hide uninteresting things when debugging using enableaudit.pp
mta_dontaudit_rw_queue(procmail_t)

# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================

# Read alternatives link (still not in policy)
corecmd_read_sbin_symlinks(procmail_t)

# Procmail occasionally signals sendmail, e.g. when it times out during
forwarding
allow procmail_t sendmail_t:process signal;

# Allow transition to sendmail
# This is in selinux-policy-2.2.34-2 onwards
# (may need similar code for other MTAs that can replace sendmail)
# sendmail_domtrans(procmail_t)

# ==============================================
# Procmail needs to be able to call clamassassin
# ==============================================
clamav_domtrans_clamscan(procmail_t)

Paul.