procmail with nfs home dirs

Matthew Gillen matt at gillens.us
Thu Sep 7 23:38:08 UTC 2006 

Daniel J Walsh wrote:
> Matthew Gillen wrote:
>> Hi,
>> I'm new to SELinux, and I was having some problems with procmail not
>> working
>> correctly for me with NFS (via NIS-based autofs) home directories on FC5.
>>
>> There seemed to be a discussion about a similar issue a while back:
>> http://www.redhat.com/archives/fedora-list/2006-May/msg03265.html
>> but the solutions there didn't solve my problem.
>>
>> In any event, I managed to get it working for myself using the following
>> policy module.  The 'autofs_t:dir search' part seemed to be needed to
>> find
>> my .procmailrc file, and the rest looks like it is needed to write
>> messages
>> into my maildirs under $HOME/Mail/
>>
>> If anyone has suggestions on how to improve this I'd be happy to hear
>> them.
>> Thanks,
>> Matt
>>
>> --------------------------------------
>> module procmailnfs 1.0;
>>
>> require {
>>         class dir { getattr search write };
>>         class file { append getattr read };
>>         type autofs_t;
>>         type default_t;
>>         type procmail_t;
>>         role system_r;
>> };
>>
>> allow procmail_t autofs_t:dir search;
>> allow procmail_t default_t:dir { getattr search write };
>> allow procmail_t default_t:file { append getattr read };
>> --------------------------------------
>>
>>   
> This looks like a labeling problem.  What directory is labeled default_t?

I think I need to explain a bit more about my setup.  Basically, I've got
one machine that's an NIS+NFS server and a mail server.  This machine has
/export/home set up as one of it's nfs shares.
After a '/sbin/restorecon -v -R /export/home', the ls -Z output for
/export/home/username is system_u:object_r:default_t.

Here's where it gets interesting.  The NFS server will automount from itself
for users in NIS.  If I log into the NFS server as 'username', and do 'ls
-lZd /home/username', the result is 'system_u:object_r:default_t'.  However,
if I'm on some other machine (that is an NFS client), the 'ls -Z' output for
/home/username is 'system_u:object_r:nfs_t'

On both machines, (the NFS server+client and the pure client) the ls -Z
output for /home indicates 'system_u:object_r:autofs_t'

So, maybe what's ultimately going on is that there's a bug in setting the
context for a locally-served NFS share?

Thanks,
Matt

More information about the fedora-selinux-list mailing list