Paul Howarth wrote:
Christopher J. PeBenito wrote:
On Fri, 2006-04-21 at 11:02 +0100, Paul Howarth wrote:
Paul Howarth wrote:
module procmail 0.1;
require {
[cut]
class dir { add_name getattr read remove_name search write };
class file { append create execute execute_no_trans getattr
ioctl lock read rename unlink write };
class lnk_file read;
class process { noatsecure sigchld siginh transition
rlimitinh };
class fd { use };
class fifo_file { getattr read write append ioctl lock };
[cut]
This does seem to work but surely there's a tidier way of handling
those class requirements? What am I missing?
You want to use the "policy_module(procmail,0.1)" macro instead of the
module statement at the top. It adds all of the kernel object classes,
so you don't have to write them all out.
Thanks, that's much better:
policy_module(procmail, 0.2)
require {
type procmail_t;
type sbin_t;
type var_log_t;
};
# Needed for writing to /var/log/procmail.log
allow procmail_t var_log_t:dir search;
allow procmail_t var_log_t:file append;
# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================
# This should be in selinux-policy-2.2.34-2 onwards
# Read alternatives link
allow procmail_t sbin_t:lnk_file read;
# Allow transition to sendmail
# (may need similar code for other MTAs that can replace sendmail)
optional_policy(`sendmail',`
sendmail_domtrans(procmail_t)
')
selinux-policy-2.2.34-2 has the domain transition allowing procmail to
run sendmail, but:
1. it still doesn't allow the sbin_t:lnk_file read to follow the
"alternatives" link /usr/sbin/sendmail -> /etc/alternatives/mta
2. there will need to be a transition enabled for other MTAs that can
replace sendmail, such as postfix, exim, etc. if their
sendmail-compatible command-line program is not labelled sendmail_exec_t.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
