Re: Root not allowed to use procmail??????

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Apr 05, 2010 at 08:22:14AM -0400, Daniel J Walsh wrote:
> On 04/05/2010 04:47 AM, Dominick Grift wrote:
> >type procmail_home_t;
> >userdom_user_home_content(procmail_home_t)
> >
> >optional_policy(`
> >gen_require(`
> >	type procmail_t;
> >')
> >
> >manage_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
> >manage_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
> >userdom_user_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
> >userdom_admin_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
> >userdom_search_user_home_dirs(procmail_t)
> >userdom_search_admin_dir(procmail_t)
> >')
> >
> >myprocmail.fc:
> >
> >HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
> >/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
> >
> >make -f /usr/share/selinux/devel/Makefile myprocmail.pp
> >sudo semodule -i myprocmail.pp
> >sudo restorecon -v/root/.procmailrc
> >
> I will add this, but there is a comment in the current policy
> 
> # only works until we define a different type for maildir
> userdom_manage_user_home_content_dirs(procmail_t)
> userdom_manage_user_home_content_files(procmail_t)
> userdom_manage_user_home_content_symlinks(procmail_t)
> userdom_manage_user_home_content_pipes(procmail_t)
> userdom_manage_user_home_content_sockets(procmail_t)
> userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir
> file lnk_file fifo_file sock_file })
> 
> 
> Should we add a file context for maildir and add the symlinks,
> pipes,sockets for procmail_home_t?

I later noticed that comment as well and this probably complicates matters as procmail 
is likely not the only service that needs access to maildir. Also i believe there are different methods of
storing e-mail. One of which is maildir another mbox i believe. There are probably more.

So i think we should figure out the locations and formats for storing e-mail and i think we should use a generic type for mail content in the user dirs.

I wonder what the reason is that this has not been implemented yet (who made the comment in refpolicy and why?)

>

Attachment: pgpnHEixI9w3T.pgp
Description: PGP signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux