procmail

Paul Howarth paul at city-fan.org
Tue May 16 16:38:39 UTC 2006 

Paul Howarth wrote:
> Paul Howarth wrote:
> selinux-policy-2.2.34-2 has the domain transition allowing procmail to 
> run sendmail, but:
> 
> 1. it still doesn't allow the sbin_t:lnk_file read to follow the 
> "alternatives" link /usr/sbin/sendmail -> /etc/alternatives/mta
> 
> 2. there will need to be a transition enabled for other MTAs that can 
> replace sendmail, such as postfix, exim, etc. if their 
> sendmail-compatible command-line program is not labelled sendmail_exec_t.

My latest policy module is:

policy_module(procmail, 0.4.1)

type procmail_tmp_t;

require {
         type procmail_t;
         type sbin_t;
         type var_log_t;
};

# Needed for writing to /var/log/procmail.log
allow procmail_t var_log_t:dir search;
allow procmail_t var_log_t:file append;

# Needed for scripts called from procmail to read/write temp files
allow procmail_t procmail_tmp_t:dir create_dir_perms;
allow procmail_t procmail_tmp_t:file create_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })

# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================

# Read alternatives link (still not in policy)
allow procmail_t sbin_t:lnk_file read;

# Allow transition to sendmail
# This is in selinux-policy-2.2.34-2 onwards
# (may need similar code for other MTAs that can replace sendmail)
# optional_policy(`sendmail',`
#       sendmail_domtrans(procmail_t)
# ')



I think I'm nearly there now as the procmail avcs are now few and far 
between. I just got one I don't understand though:

type=AVC msg=audit(1147796926.268:24816): avc:  denied  { associate } 
for  pid=27085 comm="bounced-mail" name="bm27083.1" 
scontext=user_u:object_r:procmail_tmp_t:s0 
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1147796926.268:24816): arch=40000003 syscall=5 
success=yes exit=3 a0=92962d0 a1=8241 a2=1b6 a3=8241 items=1 pid=27085 
auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 
sgid=502 fsgid=502 comm="bounced-mail" exe="/bin/bash"
type=CWD msg=audit(1147796926.268:24816):  cwd="/home/mcivta/mail"
type=PATH msg=audit(1147796926.268:24816): item=0 name="/tmp/bm27083.1" 
flags=310  inode=2 dev=fd:02 mode=041777 ouid=0 ogid=0 rdev=00:00

(this is in permissive mode btw)

What's being denied here?

"bounced-mail" is a script I'm using to process mailing list bounces.

Paul.

More information about the fedora-selinux-list mailing list