On Mon, 2006-06-19 at 15:07 -0500, Marc Schwartz (via MN) wrote: > On Mon, 2006-06-12 at 17:40 +0100, Paul Howarth wrote: > > At this point it might be worth trying to remove some of the "strange" > > policy items, such as: > > > > allow postfix_master_t man_t:file getattr; > > > > and see what, if anything fails. By doing this we might get some insight > > into what is actually happening, or if nothing breaks, we could > > dontaudit it instead of allowing it. > > > > Paul. > > > Paul, > > Apologies for the delay in my reply, as I was traveling (Vienna, > Austria) all of last week and got back late yesterday. My schedule there > ended up being busier than I expected and did not have a chance to get > to this. > > I tried to make the above modification to mypostfix.te, however when > going back to build all of the policy modules, I now get an error: > > Compiling targeted procmail module > /usr/bin/checkmodule: loading policy configuration from > tmp/procmail.tmp > procmail.te:41:ERROR 'syntax error' at token 'clamscan_domtrans' on line > 57484: > clamscan_domtrans(procmail_t) > # ============================================== > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/procmail.mod] Error 1 > > > Line 41 in procmail.te (as noted above) is: > > clamscan_domtrans(procmail_t) > > > This error occurs even without the modification to mypostfix.te, so I am > unclear as to what happened since the last time I was able to build them > all. > > I plead jet lag here and suspect that you might rapidly recognize what > is happening and have an easy fix. If you need me to check some files, > let me know. The interface name has changed in a recent selinux-policy update. New procmail.te: policy_module(procmail, 0.5.3) require { type procmail_t; type sendmail_t; }; # temp files type procmail_tmp_t; files_tmp_file(procmail_tmp_t) # log files type procmail_var_log_t; logging_log_file(procmail_var_log_t) # Write log to /var/log/procmail.log allow procmail_t procmail_var_log_t:file create_file_perms; allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr }; logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir }) # Allow programs called from procmail to read/write temp files and dirs allow procmail_t procmail_tmp_t:dir create_dir_perms; allow procmail_t procmail_tmp_t:file create_file_perms; files_type(procmail_tmp_t) files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir }) # Hide uninteresting things when debugging using enableaudit.pp mta_dontaudit_rw_queue(procmail_t) # ============================================== # Procmail needs to call sendmail for forwarding # ============================================== # Read alternatives link (still not in policy) corecmd_read_sbin_symlinks(procmail_t) # Procmail occasionally signals sendmail, e.g. when it times out during forwarding allow procmail_t sendmail_t:process signal; # Allow transition to sendmail # This is in selinux-policy-2.2.34-2 onwards # (may need similar code for other MTAs that can replace sendmail) # sendmail_domtrans(procmail_t) # ============================================== # Procmail needs to be able to call clamassassin # ============================================== clamav_domtrans_clamscan(procmail_t) Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list