procmail
Paul Howarth
paul at city-fan.org
Wed May 10 14:59:11 UTC 2006
Paul Howarth wrote:
> Christopher J. PeBenito wrote:
>> On Fri, 2006-04-21 at 11:02 +0100, Paul Howarth wrote:
>>> Paul Howarth wrote:
>>
>>> module procmail 0.1;
>>>
>>> require {
>> [cut]
>>> class dir { add_name getattr read remove_name search write };
>>> class file { append create execute execute_no_trans getattr
>>> ioctl lock read rename unlink write };
>>> class lnk_file read;
>>> class process { noatsecure sigchld siginh transition
>>> rlimitinh };
>>> class fd { use };
>>> class fifo_file { getattr read write append ioctl lock };
>> [cut]
>>> This does seem to work but surely there's a tidier way of handling
>>> those class requirements? What am I missing?
>>
>> You want to use the "policy_module(procmail,0.1)" macro instead of the
>> module statement at the top. It adds all of the kernel object classes,
>> so you don't have to write them all out.
>
> Thanks, that's much better:
>
> policy_module(procmail, 0.2)
>
> require {
> type procmail_t;
> type sbin_t;
> type var_log_t;
> };
>
> # Needed for writing to /var/log/procmail.log
> allow procmail_t var_log_t:dir search;
> allow procmail_t var_log_t:file append;
>
> # ==============================================
> # Procmail needs to call sendmail for forwarding
> # ==============================================
> # This should be in selinux-policy-2.2.34-2 onwards
>
> # Read alternatives link
> allow procmail_t sbin_t:lnk_file read;
>
> # Allow transition to sendmail
> # (may need similar code for other MTAs that can replace sendmail)
> optional_policy(`sendmail',`
> sendmail_domtrans(procmail_t)
> ')
selinux-policy-2.2.34-2 has the domain transition allowing procmail to
run sendmail, but:
1. it still doesn't allow the sbin_t:lnk_file read to follow the
"alternatives" link /usr/sbin/sendmail -> /etc/alternatives/mta
2. there will need to be a transition enabled for other MTAs that can
replace sendmail, such as postfix, exim, etc. if their
sendmail-compatible command-line program is not labelled sendmail_exec_t.
Paul.
More information about the fedora-selinux-list
mailing list