On Tue, 13 Apr 2004 20:36, Mike Chambers <mike@xxxxxxxxxxxx> wrote: > I have found these this morning in my logs after the latest kernel from > rawhide on a FC2T2 system... I've attached a new procmail policy, please check it out. I would like to know what procmail is doing with Perl, is it just for spamassasin? If so then we probably need a domain transition. In any case we don't want to grant procmail_t access to shadow_t. Either the access is not needed and we can use a dontaudit, or we need to change procmail to use unix_chkpwd or some other method of doing whatever it may want to do. It's bad enough that we have to grant RADIUS servers access to it! -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
#DESC Procmail - Mail delivery agent for mail servers # # Author: Russell Coker <russell@xxxxxxxxxxxx> # X-Debian-Packages: procmail # ################################# # # Rules for the procmail_t domain. # # procmail_exec_t is the type of the procmail executable. # # privhome only works until we define a different type for maildir type procmail_t, domain, privlog, privhome; type procmail_exec_t, file_type, sysadmfile, exec_type; role system_r types procmail_t; uses_shlib(procmail_t) allow procmail_t device_t:dir search; can_network(procmail_t) can_ypbind(procmail_t) allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; allow procmail_t etc_t:dir r_dir_perms; allow procmail_t { etc_t etc_runtime_t }:file { getattr read }; allow procmail_t etc_t:lnk_file read; read_locale(procmail_t) read_sysctl(procmail_t) allow procmail_t sysctl_t:dir search; allow procmail_t self:process { setsched fork sigchld signal }; can_exec(procmail_t, { bin_t shell_exec_t }) allow procmail_t bin_t:dir { getattr search }; allow procmail_t bin_t:lnk_file read; allow procmail_t self:fifo_file rw_file_perms; allow procmail_t self:unix_stream_socket create_socket_perms; allow procmail_t self:unix_dgram_socket create_socket_perms; # for /var/mail rw_dir_create_file(procmail_t, mail_spool_t) allow procmail_t var_t:dir { getattr search }; allow procmail_t var_spool_t:dir r_dir_perms; allow procmail_t fs_t:filesystem getattr; allow procmail_t { self proc_t }:dir search; allow procmail_t proc_t:file { getattr read }; allow procmail_t { self proc_t }:lnk_file read; # for if /var/mail is a symlink to /var/spool/mail #allow procmail_t mail_spool_t:lnk_file r_file_perms; # for spamassasin allow procmail_t usr_t:file { getattr ioctl read }; # Search /var/run. allow procmail_t var_run_t:dir { getattr search }; # Do not audit attempts to access /root. dontaudit procmail_t sysadm_home_dir_t:dir { getattr search }; allow procmail_t devtty_t:chr_file { read write }; allow procmail_t urandom_device_t:chr_file { getattr read }; ifdef(`sendmail.te', ` r_dir_file(procmail_t, etc_mail_t) ')