Daniel J Walsh wrote:
Paul Howarth wrote:
I use procmail as my local delivery agent from sendmail. In FC5 this
appears to be running as procmail_t.
Procmail offers the ability to pipe mail through programs (filters),
and I use this facility from time to time. I'm getting quite a lot of
denials when doing this and wonder what the right approach to fixing
them is.
Case 1: a locally-written shell script called "spamdomain"
This is in my ~/bin directory and of type user_home_t
Procmail recipe:
SPAMDOMAIN=`spamdomain`
Result:
Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8006): avc:
denied { execute } for pid=16622 comm="procmail" name="spamdomain"
dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8007): avc:
denied { execute_no_trans } for pid=16622 comm="procmail"
name="spamdomain" dev=dm-1 ino=1399071
scontext=system_u:system_r:procmail_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
You could relabel it bin_t?
chcon -t bin_t ~/bin/spamdomain
That seems to have worked nicely.
Case 2: piping mail through "sa-learn"
I run spamass-milter to reject mail in-protocol and then my own local
filter using procmail on anything that gets through. If I'm sure
something's spam, I like spamassassin to learn about it so I might
reject it earlier in future. So I pipe it through sa-learn
(spamd_exec_t):
Shouldn't sa-learn be labeled spamc_exec_t?
If you change it to
chcon -t spamc_exec_t /usr/bin/sa-learn
Does it work?
That's looking OK so far too.
Next issue. One of the actions a procmail recipe can have is to forward
mail somewhere else. It uses sendmail to do this. Running sendmail from
procmail doesn't seem to involve a domain transition, so I get:
Try to read alternatives link for sendmail:
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.428:12692): avc:
denied { read } for pid=4316 comm="procmail" name="sendmail" dev=dm-3
ino=131309 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=lnk_file
Try to run sendmail:
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.432:12693): avc:
denied { execute } for pid=4316 comm="procmail"
name="sendmail.sendmail" dev=dm-3 ino=131306
scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12694): avc:
denied { execute_no_trans } for pid=4316 comm="procmail"
name="sendmail.sendmail" dev=dm-3 ino=131306
scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12695): avc:
denied { read } for pid=4316 comm="procmail" name="sendmail.sendmail"
dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Sendmail running in procmail_t instead of sendmail_t:
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.548:12696): avc:
denied { search } for pid=4316 comm="sendmail" name="clientmqueue"
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.548:12697): avc:
denied { getattr } for pid=4316 comm="sendmail" name="clientmqueue"
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12698): avc:
denied { write } for pid=4316 comm="sendmail" name="clientmqueue"
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12699): avc:
denied { add_name } for pid=4316 comm="sendmail"
name="dfk3IHAC7p004316" scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12700): avc:
denied { create } for pid=4316 comm="sendmail" name="dfk3IHAC7p004316"
scontext=user_u:system_r:procmail_t:s0
tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.592:12701): avc:
denied { lock } for pid=4316 comm="sendmail" name="dfk3IHAC7p004316"
dev=dm-4 ino=1149154 scontext=user_u:system_r:procmail_t:s0
tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.628:12702): avc:
denied { name_connect } for pid=4316 comm="sendmail" dest=587
scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12703): avc:
denied { remove_name } for pid=4316 comm="sendmail"
name="dfk3IHAC7p004316" dev=dm-4 ino=1149154
scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12704): avc:
denied { unlink } for pid=4316 comm="sendmail" name="dfk3IHAC7p004316"
dev=dm-4 ino=1149154 scontext=user_u:system_r:procmail_t:s0
tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file
Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12705): avc:
denied { read } for pid=4316 comm="sendmail" name="clientmqueue"
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
And finally for today, I have in /etc/procmailrc the following line:
LOGFILE=/var/log/procmail.log
For any account that doesn't override LOGFILE in a per-account
.procmailrc, this causes procmail to log message delivery in
/var/log/procmail.log. The policy appears to support logging via syslog
(something I can't find how to configure), but not to files. Is that right?
Apr 18 17:05:51 goalkeeper kernel: audit(1145376351.930:12668): avc:
denied { search } for pid=2774 comm="procmail" name="log" dev=dm-4
ino=851969 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=dir
Apr 18 17:05:51 goalkeeper kernel: audit(1145376351.966:12669): avc:
denied { append } for pid=2774 comm="procmail" name="procmail.log"
dev=dm-4 ino=852014 scontext=user_u:system_r:procmail_t:s0
tcontext=user_u:object_r:var_log_t:s0 tclass=file
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
