procmail
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 14 14:48:48 UTC 2006
Paul Howarth wrote:
> I use procmail as my local delivery agent from sendmail. In FC5 this
> appears to be running as procmail_t.
>
> Procmail offers the ability to pipe mail through programs (filters),
> and I use this facility from time to time. I'm getting quite a lot of
> denials when doing this and wonder what the right approach to fixing
> them is.
>
>
>
> Case 1: a locally-written shell script called "spamdomain"
>
> This is in my ~/bin directory and of type user_home_t
>
> Procmail recipe:
> SPAMDOMAIN=`spamdomain`
>
> Result:
>
> Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8006): avc:
> denied { execute } for pid=16622 comm="procmail" name="spamdomain"
> dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
>
> Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8007): avc:
> denied { execute_no_trans } for pid=16622 comm="procmail"
> name="spamdomain" dev=dm-1 ino=1399071
> scontext=system_u:system_r:procmail_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
>
>
You could relabel it bin_t?
chcon -t bin_t ~/bin/spamdomain
>
> Case 2: piping mail through "sa-learn"
>
> I run spamass-milter to reject mail in-protocol and then my own local
> filter using procmail on anything that gets through. If I'm sure
> something's spam, I like spamassassin to learn about it so I might
> reject it earlier in future. So I pipe it through sa-learn
> (spamd_exec_t):
>
Shouldn't sa-learn be labeled spamc_exec_t?
If you change it to
chcon -t spamc_exec_t /usr/bin/sa-learn
Does it work?
> Procmail recipe:
> :0c
> | sa-learn --username=paul at city-fan.org --spam >/dev/null 2>&1
>
> Result:
>
> Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.743:8008): avc:
> denied { getattr } for pid=16718 comm="bash" name="sa-learn"
> dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file
>
> Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8009): avc:
> denied { execute } for pid=16718 comm="bash" name="sa-learn"
> dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file
>
> Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8010): avc:
> denied { read } for pid=16718 comm="bash" name="sa-learn" dev=dm-3
> ino=852750 scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file
>
> Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8011): avc:
> denied { execute_no_trans } for pid=16719 comm="bash"
> name="sa-learn" dev=dm-3 ino=852750
> scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file
>
> Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.799:8012): avc:
> denied { ioctl } for pid=16719 comm="sa-learn" name="sa-learn"
> dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file
>
> The "bash" denials will be due to procmail forking a shell to handle
> the redirects.
>
>
>
>
> What *should* I be doing here to fix this? I know I could just add
> local policy to fix the denials, but is there a way to do it that's
> supported by existing policy?
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list