[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Procmail battles



"Gregory P. Ennis" <PoMec PoMec Net> writes:

 > Mime-Version: 1.0
 > Reply-To: For users of Fedora Core releases <fedora-list redhat com>
 > 
 > On Mon, 2006-05-15 at 10:35 +0100, Paul Howarth wrote:
 > > Gregory P. Ennis wrote:
 > > > On Sun, 2006-05-14 at 12:52 +0100, Paul Howarth wrote:
 > > >> On Sat, 2006-05-13 at 20:52 -0500, Gregory P. Ennis wrote:
 > > >>> On Sat, 2006-05-13 at 21:42 -0400, Paul Michael Reilly wrote:
 > > >>>> Les Mikesell <lesmikesell gmail com> writes:
 > > >>>>
 > > >>>>  > On Sat, 2006-05-13 at 14:48, Paul Michael Reilly wrote:
 > > >>>>  > 
 > > >>>>  > > LOGFILE=/root/procmail.log
 > > >>>>  > > LOGABSTRACT=yes
 > > >>>>  > > VERBOSE=1
 > > >>>>  > > 
 > > >>>>  > > and send mail to "root" then I actually see an abstract appended to
 > > >>>>  > > /root/procmail.log which is consistent with the procmail man page in
 > > >>>>  > > that it says $HOME/.procmailrc will get processed.  I leaped,
 > > >>>>  > > incorrectly it would appear, to the conclusion that $HOME referred to
 > > >>>>  > > the mail target.  It must be referring to the User running procmail,
 > > >>>>  > > i.e. "root" on a stock Fedora Core system, which makes considerable
 > > >>>>  > > sense.  This, I believe, is the crux of my battles.
 > > >>>>  > 
 > > >>>>  > $HOME is the expansion of the environment variable HOME, which
 > > >>>>  > is set to the 6th field of the user's /etc/passwd file entry,
 > > >>>>  > i.e. their home directory.  This happens in a straightforward
 > > >>>>  > way during logins and is emulated in procmail runs. 
 > > >>>>  > 
 > > >>>>  > > So that raises the question: how does one configure mail (sendmail or
 > > >>>>  > > otherwise) on a stock Fedora Core system so that ~User/.procmailrc
 > > >>>>  > > will be processed for all User's on the system?
 > > >>>>  > 
 > > >>>>  > ~user is expanded in a shell to the same thing as $HOME would be for
 > > >>>>  > that user.  Sendmail should, by default, use procmail for everyone
 > > >>>>  > which should then process their .procmailrc but it will not trust
 > > >>>>  > files where the permissions allow write access by others.
 > > >>>>
 > > >>>> Excellent.  This insight has led to the real culprit: selinux.
 > > >>>> Disabling selinux leads to FC4 level behavior so it is a safe bet that
 > > >>>> a more stringent FC5 selinux setting is what is ailing me.  Now,
 > > >>>> ideally, I should be able to google FC5, selinux and mail and get some
 > > >>>> insight.  Not so.  Anyone have a reference where I can learn what
 > > >>>> FC5 now expects from sendmail/procmail to make selinux happy?  The
 > > >>>> entries in /var/log/messages are not exactly real informative:
 > > >>>>
 > > >>>> May 13 21:22:04 roamer kernel: audit(1147569724.815:39): avc:  denied  { search } for  pid=26417 comm="procmail" name="log" dev=dm-0 ino=4128796 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
 > > >>>>
 > > >>>>
 > > >>>> -pmr
 > > >>>>
 > > >>> I am having the same problem with FC5 and selinux.  My system worked
 > > >>> fine with FC4 but is failing with FC5.  I am using procmail to store
 > > >>> spam in created directory ie /savedrwxr-xr-x  root     mail     root:object_r:root_t             .
 > > > 
 > > > 
 > > >> /home/$USER/Mail/spam.  When I turn
 > > >>> selinux off I can get procmail to work perfectly, but when I turn
 > > >>> selinux back on it fails to be able to write in this directory.  I know
 > > >>> very little about selinux and would appreciate some references as to
 > > >>> changes from FC4 to FC5 as well.
 > > >> The out-of-the-box selinux policy for FC5 was somewhat broken for
 > > >> procmail, particularly if you wanted to forward mail as an action.
 > > >>
 > > >> Paul, what log files are you trying to write, and what the the "adv:
 > > >> denial" messages you see in /var/log/messages when procmail tries to
 > > >> write to this log?
 > > >>
 > > >> Gregory, is /save/home/$USER the home directory for $USER?
 > > >> What's the output of:
 > > >> $ ls -laZ /save/home
 > > >>
 > > >> Paul.
 > > >>
 > > >>
 > > > Paul,
 > > > 
 > > > Thanks for your help.  Is there a way to modify the procmail policy in
 > > > selinux?
 > > > 
 > > > The above directory is not the home directory of the user.  When I
 > > > originally designed the software I created a directory system outside of
 > > > the /home, but $USER does represent the name of the user.  Here is a
 > > > partial listing of ls -laZ /save/home
 > > > 
 > > > drwxr-xr-x  root     root     root:object_r:root_t             ..
 > > > drwxr-xr-x  bkgrndch bkgrndch root:object_r:root_t             bkgrndchk
 > > > drwxr-xr-x  claire   claire   root:object_r:root_t             claire
 > > > drwxr-xr-x  clamav   clamav   root:object_r:root_t             clamav
 > > > drwxr-xr-x  greg     greg     root:object_r:root_t             greg
 > > > drwxr-xr-x  jesse    jesse    root:object_r:root_t             jesse
 > > > drwxr-xr-x  mail     mail     root:object_r:root_t             lost
 > > > +found
 > > > drwxr-xr-x  mailwoma mailwoma root:object_r:root_t             mailwoman
 > > > drwxr-xr-x  melissa  melissa  root:object_r:root_t             melissa
 > > > 
 > > > Thanks again for your help!
 > > 
 > > You can probably fix this with file context changes rather than policy 
 > > changes. Try this:
 > > 
 > > # chcon -Rh -t user_home_t /save/home/*
 > > # chcon -h -t user_home_dir_t /save/home/*
 > > 
 > > Paul.
 > > 
 > Everyone,
 > 
 > Thanks for all of your help.  This is becoming a good exercise to
 > understand selinux.  Paul... I will try your suggestion and let you
 > know.

I have been following this thread in utter fascination and despair.
It started out because procmail doesn't work (does not process
~/.procmailrc) for me with FC5 out of the chute.  Keep in mind that
I'm trying to learn procmail.  A message that I should learn selinux
in order to enable FC5 to be able to learn procmail is not exactly the
kind of message I was looking for.  I'd be real happy to hear someone
say, "keep selinux off entirely until FC6 comes out and then procmail
and selinux will play nice again", which is my basically my plan for
focusing on procmail.  Is there a reason I should NOT file a bug
report for this procmail/selinux issue?

-pmr


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]