Postfix/mailman problem

Ivan Gyurdiev ivg2 at cornell.edu
Thu Mar 2 20:34:10 UTC 2006 

> How is that determined?  I can't find a single reference to procmail
> anywhere in the SELinux targeted configuration, and procmail doesn't
> seem to have any special context:
>
> # ls --lcontext /usr/bin/procmail
> -rwxr-xr-x  1 system_u:object_r:bin_t          root mail 100680 Mar 18 
> 2005 /usr/bin/procmail
>   
I run strict policy, you probably don't have a procmail policy installed.
I determined this by running looking at the policy.conf in the generated 
policy.conf file from a refpolicy cvs build. I also looked at the policy 
source.

        allow postfix_pipe_t postfix_pipe_exec_t:file { read getattr 
lock execute ioctl };
        allow postfix_pipe_t postfix_pipe_exec_t:file { { read getattr 
lock execute ioctl } execute_no_trans };
        allow postfix_pipe_t postfix_exec_t:file { read getattr lock 
execute ioctl };
        allow postfix_pipe_t shell_exec_t:file { { read getattr lock 
execute ioctl } execute_no_trans };
        allow postfix_pipe_t ld_so_t:file { read getattr lock execute 
ioctl };
        allow postfix_pipe_t { shlib_t textrel_shlib_t }:file { read 
getattr lock execute ioctl };
        allow postfix_pipe_t procmail_exec_t:file { getattr read execute };

        type_transition postfix_pipe_t var_run_t:file postfix_var_run_t;
        type_transition postfix_master_t postfix_pipe_exec_t:process 
postfix_pipe_t;
        type_transition postfix_pipe_t procmail_exec_t:process procmail_t;

>> I would say:
>> - the type mailman_queue_exec_t looks wrong for that file - how did it
>> get this type?
>>     
>
> I'm not sure, actually.  Should it just be system_u:object_r:bin_t?
>   
Did you install this file yourself? bin_t certainly seems more correct...
But it doesn't really matter what it is - pipe still won't be able to 
transition into the mailman domain until policy is written for that.

>> - the file /usr/lib/mailman/mail (which your script runs) appears to be
>> a SGID executable to group mailman which runs other [mailman] programs.
>> It has type lib_t, which is incorrect. I think whatever regexps are
>> currently used in policy are overly generic, and misclassify lots of
>> things as lib_t.
>>     
>
> Should I change its context to system_u:object_r:bin_t?
>   
Anything you change that is not a customizable type can later get 
un-done by restorecon.
This should be fixed in policy.

More information about the fedora-selinux-list mailing list