Re: procmail vs amanda selinux hits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gene Heskett wrote:

Greetings;
At about the time the backup program amanda is due to send me an email, I'm getting popups from selinux.
Amanda is at times trying to send the user gene an email, some of which I do get, but: 

>From setroubleshoot:
SUMMARY
SELinux is preventing /usr/bin/procmail (procmail_t) "search" to (var_log_t).
On a related matter, I sometimes like to use a system-wide procmail script (/etc/procmailrc) and have system-wide procmail logs to go with that, which can be done by putting in /etc/procmailrc something like: 

LOGFILE=/var/log/procmail.log
or
LOGFILE=/var/log/procmail/$LOGNAME

Current policy doesn't cater for this, so I added:

::::::::::::::
myprocmail.te
::::::::::::::
policy_module(myprocmail, 0.5.6)

require {
        type procmail_t;
        type sendmail_t;
};

# log files
type procmail_log_t;
logging_log_file(procmail_log_t)

# Write log to /var/log/procmail.log or /var/log/procmail/.*
allow procmail_t procmail_log_t:dir setattr;
create_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
append_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
read_lnk_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
logging_log_filetrans(procmail_t,procmail_log_t, { file dir })

# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================

# Read alternatives link (still not in policy?)
corecmd_read_bin_symlinks(procmail_t)
# Procmail occasionally signals sendmail, e.g. when it times out during forwarding 
sendmail_signal(procmail_t)

::::::::::::::
myprocmail.fc
::::::::::::::
/var/log/procmail\.log -- gen_context(system_u:object_r:procmail_log_t,s0) /var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
The last bits of policy are things I've had locally for a couple of Fedora releases now; not sure if they're in current policy but I think they should be. 

Cheers, Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux