postfix, procmail and SELinux - No Go

Marc Schwartz (via MN) mschwartz at mn.rr.com
Tue May 30 18:41:50 UTC 2006


On Tue, 2006-05-30 at 16:32 +0100, Paul Howarth wrote:
> Marc Schwartz wrote:
> > Hi all,
> > 
> > I took advantage of the long weekend here in the States to finally 
> > update to FC5.  All went well in general, however it has become apparent 
> > that procmail is problematic with SELinux enabled.
> > 
> > fetchmail and postfix work fine in terms of getting my e-mail from 
> > multiple POP3 accounts. However local (~/.procmailrc) procmail filtering 
> > does not.
> > 
> > My FC4 configuration files, with a few edits to reflect some path 
> > changes for postfix, now work fine with SELinux disabled. I was not 
> > running SELinux on FC4 and all worked fine there.
> > 
> > I found other FC5/SELinux posts where others have had similar problems 
> > and disabling SELinux solved them.
> > 
> > This is on a fully updated FC5 system as of the writing of this post.
> > 
> > Is there a policy update pending to resolve this issue or some temporary 
> > steps that can be used in the interim, short of disabling SELinux entirely?
> 
> I'm using procmail with sendmail on FC5. and whilst there were 
> significant problems getting it to work with the out-of-the-box policy, 
> it's mostly fixed now. The only local tweaks I do to policy are to add 
> the ability to write a log file to /var/log (probably peculiar to me), 
> to allow it to forward mail by calling sendmail (I think policy still 
> doesn't allow reading of the /usr/sbin/sendmail -> /etc/alternatives/mta 
> symlink, which pretty much most procmail users will need), and to allow 
> programs called from procmail to create temporary files.
> 
> If you run SELinux in permissive mode and post the AVCs that get logged 
> when procmail is running, it should be possible to get this fixed.

Paul,

Thanks for the reply.

I have re-booted with SELinux in Permissive Mode.

However, while procmail is working still, I see no avc messages at all
in /var/log/messages that would seemingly be related here. There are
other avc's there, most of which appear to be related to the boot
process and the relabelling of files subsequent to having disabled
SELinux earlier.

Is this something more subtle or is there someplace else that I should
be looking?

I did not note this earlier, but this was a clean install of FC5, not an
upgrade over FC4.

BTW, on a separate and possible SELinux related issue, I had noted that
the Evolution Data Server was crashing after I first installed FC5 with
SELinux enabled.  For the time this morning that I had SELinux disabled,
I was not getting the crash.  Didn't make the association initially, but
now that I have it re-enabled in Permissive Mode, it's crashing again.
No avc's in the log here either.

Thanks,

Marc





More information about the fedora-selinux-list mailing list