procmail

Paul Howarth paul at city-fan.org
Wed May 10 14:59:11 UTC 2006


Paul Howarth wrote:
> Christopher J. PeBenito wrote:
>> On Fri, 2006-04-21 at 11:02 +0100, Paul Howarth wrote:
>>> Paul Howarth wrote:
>>
>>> module procmail 0.1;
>>>
>>> require {
>> [cut]
>>>          class dir { add_name getattr read remove_name search write };
>>>          class file { append create execute execute_no_trans getattr 
>>> ioctl lock read rename unlink write };
>>>          class lnk_file read;
>>>          class process { noatsecure sigchld siginh transition 
>>> rlimitinh };
>>>          class fd { use };
>>>          class fifo_file { getattr read write append ioctl lock };
>> [cut]
>>> This does seem to work but surely there's a tidier way of handling 
>>> those class requirements? What am I missing?
>>
>> You want to use the "policy_module(procmail,0.1)" macro instead of the
>> module statement at the top.  It adds all of the kernel object classes,
>> so you don't have to write them all out.
> 
> Thanks, that's much better:
> 
> policy_module(procmail, 0.2)
> 
> require {
>     type procmail_t;
>     type sbin_t;
>     type var_log_t;
> };
> 
> # Needed for writing to /var/log/procmail.log
> allow procmail_t var_log_t:dir search;
> allow procmail_t var_log_t:file append;
> 
> # ==============================================
> # Procmail needs to call sendmail for forwarding
> # ==============================================
> # This should be in selinux-policy-2.2.34-2 onwards
> 
> # Read alternatives link
> allow procmail_t sbin_t:lnk_file read;
> 
> # Allow transition to sendmail
> # (may need similar code for other MTAs that can replace sendmail)
> optional_policy(`sendmail',`
>     sendmail_domtrans(procmail_t)
> ')

selinux-policy-2.2.34-2 has the domain transition allowing procmail to 
run sendmail, but:

1. it still doesn't allow the sbin_t:lnk_file read to follow the 
"alternatives" link /usr/sbin/sendmail -> /etc/alternatives/mta

2. there will need to be a transition enabled for other MTAs that can 
replace sendmail, such as postfix, exim, etc. if their 
sendmail-compatible command-line program is not labelled sendmail_exec_t.

Paul.




More information about the fedora-selinux-list mailing list