EL6: procmail vs. /home/*/bin/shellscript.sh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm using EL 6.2 with sendmail & procmail.  I'm having trouble with
calling custom scripts in my home directory from .procmailrc such as
this recipe:

######################################################
#
# BACKUP INCOMING MAIL
#
# Stores the last 16 messages in a backup folder.
# "Just in Case"
#
# Create a folder in your $MAILDIR called "backup"
# BEFORE you execute this procmail recipe.
#
:0 c
backup

:0 ic
| /home/cra/bin/procmail-prune-backup-msg

The script is labeled with home_bin_t:

-rwxr-xr-x. cra cra system_u:object_r:home_bin_t:s0  /home/cra/bin/procmail-prune-backup-msg

which is a Bourne Shell script similar to this:

#!/bin/sh
cd /home/cra/mail/backup
/bin/ls -t | /bin/grep ^msg\. | /bin/sed -e 1,256d | /usr/bin/xargs -n 256 /bin/rm -f

In my procmail log I get:

/bin/sh: /home/cra/bin/procmail-prune-backup-msg: Permission denied

It works if I "setenforce 0".

With Enforcing, here is the AVC I get (after enabling dontaudit rules
with semodule -DB):

# ausearch -i -m AVC
type=SYSCALL msg=audit(05/17/2012 19:17:15.773:273) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=1c8d460 a1=0 a2=1c8d487 a3=28 items=0 ppid=5252 pid=5257 auid=root uid=cra gid=cra euid=cra suid=cra fsuid=cra egid=cra sgid=cra fsgid=cra tty=(none) ses=1 comm=sh exe=/bin/bash subj=unconfined_u:system_r:procmail_t:s0 key=(null) 
type=AVC msg=audit(05/17/2012 19:17:15.773:273) : avc:  denied  { search } for  pid=5257 comm=sh name=bin dev=dm-10 ino=2760827 scontext=unconfined_u:system_r:procmail_t:s0 tcontext=user_u:object_r:home_bin_t:s0 tclass=dir 

I did a bunch of research on this and found this old changelog entry
and the discussions/bugzillas leading up to it:

#rpm -q selinux-policy 
selinux-policy-3.7.19-126.el6_2.10.noarch

#rpm -q --changelog selinux-policy
...
* Tue May 25 2010 Dan Walsh <dwalsh@xxxxxxxxxx> 3.7.19-22
- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t
- Fix /var/run/abrtd.lock label

Was there a recent regression that broke this functionality or did it
not really make it into Enterprise Linux despite this changelog?  Any
ideas on how to fix this cleanly without having to disable Enforcing
mode?

Thanks.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux