procmail

Paul Howarth paul at city-fan.org
Fri Apr 21 10:02:06 UTC 2006 

Paul Howarth wrote:
> One of the actions a procmail recipe can have is to forward 
> mail somewhere else. It uses sendmail to do this. Running sendmail from 
> procmail doesn't seem to involve a domain transition, so I get:
> 
> Try to read alternatives link for sendmail:
> Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.428:12692): avc: 
> denied  { read } for  pid=4316 comm="procmail" name="sendmail" dev=dm-3 
> ino=131309 scontext=user_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:sbin_t:s0 tclass=lnk_file
> 
> Try to run sendmail:
> Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.432:12693): avc: 
> denied  { execute } for  pid=4316 comm="procmail" 
> name="sendmail.sendmail" dev=dm-3 ino=131306 
> scontext=user_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
> Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12694): avc: 
> denied  { execute_no_trans } for  pid=4316 comm="procmail" 
> name="sendmail.sendmail" dev=dm-3 ino=131306 
> scontext=user_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
> Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12695): avc: 
> denied  { read } for  pid=4316 comm="procmail" name="sendmail.sendmail" 
> dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file

I see from rawhide report that something to address this has gone into 
selinux-policy-2.2.34-2 (thanks).

Anyway, I tried fixing it myself as follows yesterday:

module procmail 0.1;

require {
         role object_r;
         role system_r;

         class dir { add_name getattr read remove_name search write };
         class file { append create execute execute_no_trans getattr 
ioctl lock read rename unlink write };
         class lnk_file read;
         class process { noatsecure sigchld siginh transition rlimitinh };
         class fd { use };
         class fifo_file { getattr read write append ioctl lock };

         type procmail_t;
         type var_log_t;
         type sbin_t;
};

# Needed for writing to /var/log/procmail.log
allow procmail_t var_log_t:dir search;
allow procmail_t var_log_t:file append;

# Procmail needs to call sendmail for forwarding
allow procmail_t sbin_t:lnk_file read;
optional_policy(`sendmail',`
         sendmail_domtrans(procmail_t)
')

This does seem to work but surely there's a tidier way of handling those 
class requirements? What am I missing?

Paul.

More information about the fedora-selinux-list mailing list