postfix, procmail and SELinux - No Go

[Paul Howarth]

Marc Schwartz wrote:
> Hi all,
> 
> I took advantage of the long weekend here in the States to finally 
> update to FC5.  All went well in general, however it has become apparent 
> that procmail is problematic with SELinux enabled.
> 
> fetchmail and postfix work fine in terms of getting my e-mail from 
> multiple POP3 accounts. However local (~/.procmailrc) procmail filtering 
> does not.
> 
> My FC4 configuration files, with a few edits to reflect some path 
> changes for postfix, now work fine with SELinux disabled. I was not 
> running SELinux on FC4 and all worked fine there.
> 
> I found other FC5/SELinux posts where others have had similar problems 
> and disabling SELinux solved them.
> 
> This is on a fully updated FC5 system as of the writing of this post.
> 
> Is there a policy update pending to resolve this issue or some temporary 
> steps that can be used in the interim, short of disabling SELinux entirely?

I'm using procmail with sendmail on FC5. and whilst there were 
significant problems getting it to work with the out-of-the-box policy, 
it's mostly fixed now. The only local tweaks I do to policy are to add 
the ability to write a log file to /var/log (probably peculiar to me), 
to allow it to forward mail by calling sendmail (I think policy still 
doesn't allow reading of the /usr/sbin/sendmail -> /etc/alternatives/mta 
symlink, which pretty much most procmail users will need), and to allow 
programs called from procmail to create temporary files.

If you run SELinux in permissive mode and post the AVCs that get logged 
when procmail is running, it should be possible to get this fixed.

Paul.