[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: procmail vs amanda selinux hits

From: Paul Howarth <paul city-fan org>
To: Fedora SELinux support list <fedora-selinux-list redhat com>
Subject: Re: procmail vs amanda selinux hits
Date: Wed, 16 Jan 2008 15:51:37 +0000

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gene Heskett wrote:
Greetings;
At about the time the backup program amanda is due to send me an email, I'mgetting popups from selinux.
Amanda is at times trying to send the user gene an email, some of which I doget, but:
>From setroubleshoot:
SUMMARY
SELinux is preventing /usr/bin/procmail (procmail_t) "search" to (var_log_t).

On a related matter, I sometimes like to use a system-wide procmailscript (/etc/procmailrc) and have system-wide procmail logs to go withthat, which can be done by putting in /etc/procmailrc something like:


LOGFILE=/var/log/procmail.log
or
LOGFILE=/var/log/procmail/$LOGNAME

Current policy doesn't cater for this, so I added:

::::::::::::::
myprocmail.te
::::::::::::::
policy_module(myprocmail, 0.5.6)

require {
        type procmail_t;
        type sendmail_t;
};

# log files
type procmail_log_t;
logging_log_file(procmail_log_t)

# Write log to /var/log/procmail.log or /var/log/procmail/.*
allow procmail_t procmail_log_t:dir setattr;
create_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
append_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
read_lnk_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
logging_log_filetrans(procmail_t,procmail_log_t, { file dir })

# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================

# Read alternatives link (still not in policy?)
corecmd_read_bin_symlinks(procmail_t)

# Procmail occasionally signals sendmail, e.g. when it times out duringforwarding

sendmail_signal(procmail_t)

::::::::::::::
myprocmail.fc
::::::::::::::

/var/log/procmail\.log --gen_context(system_u:object_r:procmail_log_t,s0)/var/log/procmail(/.*)?gen_context(system_u:object_r:procmail_log_t,s0)

The last bits of policy are things I've had locally for a couple ofFedora releases now; not sure if they're in current policy but I thinkthey should be.


Cheers, Paul.

Follow-Ups:
- Re: procmail vs amanda selinux hits
  - From: Gene Heskett

References:
- procmail vs amanda selinux hits
  - From: Gene Heskett
- Re: procmail vs amanda selinux hits
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]