On Mon, 2006-06-19 at 15:07 -0500, Marc Schwartz (via MN) wrote:
> On Mon, 2006-06-12 at 17:40 +0100, Paul Howarth wrote:
> > At this point it might be worth trying to remove some of the "strange"
> > policy items, such as:
> >
> > allow postfix_master_t man_t:file getattr;
> >
> > and see what, if anything fails. By doing this we might get some insight
> > into what is actually happening, or if nothing breaks, we could
> > dontaudit it instead of allowing it.
> >
> > Paul.
>
>
> Paul,
>
> Apologies for the delay in my reply, as I was traveling (Vienna,
> Austria) all of last week and got back late yesterday. My schedule there
> ended up being busier than I expected and did not have a chance to get
> to this.
>
> I tried to make the above modification to mypostfix.te, however when
> going back to build all of the policy modules, I now get an error:
>
> Compiling targeted procmail module
> /usr/bin/checkmodule: loading policy configuration from
> tmp/procmail.tmp
> procmail.te:41:ERROR 'syntax error' at token 'clamscan_domtrans' on line
> 57484:
> clamscan_domtrans(procmail_t)
> # ==============================================
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/procmail.mod] Error 1
>
>
> Line 41 in procmail.te (as noted above) is:
>
> clamscan_domtrans(procmail_t)
>
>
> This error occurs even without the modification to mypostfix.te, so I am
> unclear as to what happened since the last time I was able to build them
> all.
>
> I plead jet lag here and suspect that you might rapidly recognize what
> is happening and have an easy fix. If you need me to check some files,
> let me know.
The interface name has changed in a recent selinux-policy update. New
procmail.te:
policy_module(procmail, 0.5.3)
require {
type procmail_t;
type sendmail_t;
};
# temp files
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
# log files
type procmail_var_log_t;
logging_log_file(procmail_var_log_t)
# Write log to /var/log/procmail.log
allow procmail_t procmail_var_log_t:file create_file_perms;
allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })
# Allow programs called from procmail to read/write temp files and dirs
allow procmail_t procmail_tmp_t:dir create_dir_perms;
allow procmail_t procmail_tmp_t:file create_file_perms;
files_type(procmail_tmp_t)
files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })
# Hide uninteresting things when debugging using enableaudit.pp
mta_dontaudit_rw_queue(procmail_t)
# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================
# Read alternatives link (still not in policy)
corecmd_read_sbin_symlinks(procmail_t)
# Procmail occasionally signals sendmail, e.g. when it times out during
forwarding
allow procmail_t sendmail_t:process signal;
# Allow transition to sendmail
# This is in selinux-policy-2.2.34-2 onwards
# (may need similar code for other MTAs that can replace sendmail)
# sendmail_domtrans(procmail_t)
# ==============================================
# Procmail needs to be able to call clamassassin
# ==============================================
clamav_domtrans_clamscan(procmail_t)
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
