-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/17/2012 07:32 PM, Chuck Anderson wrote:
> I'm using EL 6.2 with sendmail & procmail. I'm having trouble with calling
> custom scripts in my home directory from .procmailrc such as this recipe:
>
> ###################################################### # # BACKUP INCOMING
> MAIL # # Stores the last 16 messages in a backup folder. # "Just in Case"
> # # Create a folder in your $MAILDIR called "backup" # BEFORE you execute
> this procmail recipe. # :0 c backup
>
> :0 ic | /home/cra/bin/procmail-prune-backup-msg
>
> The script is labeled with home_bin_t:
>
> -rwxr-xr-x. cra cra system_u:object_r:home_bin_t:s0
> /home/cra/bin/procmail-prune-backup-msg
>
> which is a Bourne Shell script similar to this:
>
> #!/bin/sh cd /home/cra/mail/backup /bin/ls -t | /bin/grep ^msg\. | /bin/sed
> -e 1,256d | /usr/bin/xargs -n 256 /bin/rm -f
>
> In my procmail log I get:
>
> /bin/sh: /home/cra/bin/procmail-prune-backup-msg: Permission denied
>
> It works if I "setenforce 0".
>
> With Enforcing, here is the AVC I get (after enabling dontaudit rules with
> semodule -DB):
>
> # ausearch -i -m AVC type=SYSCALL msg=audit(05/17/2012 19:17:15.773:273) :
> arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=1c8d460
> a1=0 a2=1c8d487 a3=28 items=0 ppid=5252 pid=5257 auid=root uid=cra gid=cra
> euid=cra suid=cra fsuid=cra egid=cra sgid=cra fsgid=cra tty=(none) ses=1
> comm=sh exe=/bin/bash subj=unconfined_u:system_r:procmail_t:s0 key=(null)
> type=AVC msg=audit(05/17/2012 19:17:15.773:273) : avc: denied { search }
> for pid=5257 comm=sh name=bin dev=dm-10 ino=2760827
> scontext=unconfined_u:system_r:procmail_t:s0
> tcontext=user_u:object_r:home_bin_t:s0 tclass=dir
>
> I did a bunch of research on this and found this old changelog entry and
> the discussions/bugzillas leading up to it:
>
> #rpm -q selinux-policy selinux-policy-3.7.19-126.el6_2.10.noarch
>
> #rpm -q --changelog selinux-policy ... * Tue May 25 2010 Dan Walsh
> <dwalsh@xxxxxxxxxx> 3.7.19-22 - Allow procmail to execute scripts in the
> users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label
>
> Was there a recent regression that broke this functionality or did it not
> really make it into Enterprise Linux despite this changelog? Any ideas on
> how to fix this cleanly without having to disable Enforcing mode?
>
> Thanks. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Hey chuck, could you check to see if this is fixed by installing the 6.3
policy. Preview currently available at:
people.redhat.com/dwalsh/SELinux/RHEL6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+2XgUACgkQrlYvE4MpobNT9gCfYdkEQ/m0JDFQXouQdsX104w9
+qMAoMJuW4F19wHZvbPYmKyBlEPuB17Y
=1f3c
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
