Re: procmail

Paul Howarth <paul@xxxxxxxxxxxx> · Fri, 21 Apr 2006 11:02:06 +0100

Paul Howarth wrote:
One of the actions a procmail recipe can have is to forward 
mail somewhere else. It uses sendmail to do this. Running sendmail from 
procmail doesn't seem to involve a domain transition, so I get:

Try to read alternatives link for sendmail:
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.428:12692): avc: 
denied  { read } for  pid=4316 comm="procmail" name="sendmail" dev=dm-3 
ino=131309 scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:sbin_t:s0 tclass=lnk_file

Try to run sendmail:
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.432:12693): avc: 
denied  { execute } for  pid=4316 comm="procmail" 
name="sendmail.sendmail" dev=dm-3 ino=131306 
scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12694): avc: 
denied  { execute_no_trans } for  pid=4316 comm="procmail" 
name="sendmail.sendmail" dev=dm-3 ino=131306 
scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12695): avc: 
denied  { read } for  pid=4316 comm="procmail" name="sendmail.sendmail" 
dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file

I see from rawhide report that something to address this has gone into 
selinux-policy-2.2.34-2 (thanks).

Anyway, I tried fixing it myself as follows yesterday:

module procmail 0.1;

require {
        role object_r;
        role system_r;

        class dir { add_name getattr read remove_name search write };
        class file { append create execute execute_no_trans getattr 
ioctl lock read rename unlink write };
        class lnk_file read;
        class process { noatsecure sigchld siginh transition rlimitinh };
        class fd { use };
        class fifo_file { getattr read write append ioctl lock };

        type procmail_t;
        type var_log_t;
        type sbin_t;
};

# Needed for writing to /var/log/procmail.log
allow procmail_t var_log_t:dir search;
allow procmail_t var_log_t:file append;

# Procmail needs to call sendmail for forwarding
allow procmail_t sbin_t:lnk_file read;
optional_policy(`sendmail',`
        sendmail_domtrans(procmail_t)
')

This does seem to work but surely there's a tidier way of handling those 
class requirements? What am I missing?

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list