procmail

Paul Howarth paul at city-fan.org
Tue Apr 18 17:26:02 UTC 2006 

Daniel J Walsh wrote:
> Paul Howarth wrote:
>> I use procmail as my local delivery agent from sendmail. In FC5 this 
>> appears to be running as procmail_t.
>>
>> Procmail offers the ability to pipe mail through programs (filters), 
>> and I use this facility from time to time. I'm getting quite a lot of 
>> denials when doing this and wonder what the right approach to fixing 
>> them is.
>>
>>
>>
>> Case 1: a locally-written shell script called "spamdomain"
>>
>> This is in my ~/bin directory and of type user_home_t
>>
>> Procmail recipe:
>> SPAMDOMAIN=`spamdomain`
>>
>> Result:
>>
>> Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8006): avc: 
>> denied  { execute } for  pid=16622 comm="procmail" name="spamdomain" 
>> dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0 
>> tcontext=user_u:object_r:user_home_t:s0 tclass=file
>>
>> Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8007): avc: 
>> denied  { execute_no_trans } for  pid=16622 comm="procmail" 
>> name="spamdomain" dev=dm-1 ino=1399071 
>> scontext=system_u:system_r:procmail_t:s0 
>> tcontext=user_u:object_r:user_home_t:s0 tclass=file
>>
>>
> You could relabel it bin_t?
> 
> chcon -t bin_t ~/bin/spamdomain

That seems to have worked nicely.

>> Case 2: piping mail through "sa-learn"
>>
>> I run spamass-milter to reject mail in-protocol and then my own local 
>> filter using procmail on anything that gets through. If I'm sure 
>> something's spam, I like spamassassin to learn about it so I might 
>> reject it earlier in future. So I pipe it through sa-learn 
>> (spamd_exec_t):
>>
> Shouldn't sa-learn be labeled spamc_exec_t?
> 
> If you change it to
> 
> chcon -t spamc_exec_t /usr/bin/sa-learn
> 
> Does it work?

That's looking OK so far too.

Next issue. One of the actions a procmail recipe can have is to forward 
mail somewhere else. It uses sendmail to do this. Running sendmail from 
procmail doesn't seem to involve a domain transition, so I get:

Try to read alternatives link for sendmail:
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.428:12692): avc: 
denied  { read } for  pid=4316 comm="procmail" name="sendmail" dev=dm-3 
ino=131309 scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:sbin_t:s0 tclass=lnk_file

Try to run sendmail:
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.432:12693): avc: 
denied  { execute } for  pid=4316 comm="procmail" 
name="sendmail.sendmail" dev=dm-3 ino=131306 
scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12694): avc: 
denied  { execute_no_trans } for  pid=4316 comm="procmail" 
name="sendmail.sendmail" dev=dm-3 ino=131306 
scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12695): avc: 
denied  { read } for  pid=4316 comm="procmail" name="sendmail.sendmail" 
dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file

Sendmail running in procmail_t instead of sendmail_t:
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.548:12696): avc: 
denied  { search } for  pid=4316 comm="sendmail" name="clientmqueue" 
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.548:12697): avc: 
denied  { getattr } for  pid=4316 comm="sendmail" name="clientmqueue" 
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12698): avc: 
denied  { write } for  pid=4316 comm="sendmail" name="clientmqueue" 
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12699): avc: 
denied  { add_name } for  pid=4316 comm="sendmail" 
name="dfk3IHAC7p004316" scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12700): avc: 
denied  { create } for  pid=4316 comm="sendmail" name="dfk3IHAC7p004316" 
scontext=user_u:system_r:procmail_t:s0 
tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.592:12701): avc: 
denied  { lock } for  pid=4316 comm="sendmail" name="dfk3IHAC7p004316" 
dev=dm-4 ino=1149154 scontext=user_u:system_r:procmail_t:s0 
tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.628:12702): avc: 
denied  { name_connect } for  pid=4316 comm="sendmail" dest=587 
scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12703): avc: 
denied  { remove_name } for  pid=4316 comm="sendmail" 
name="dfk3IHAC7p004316" dev=dm-4 ino=1149154 
scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12704): avc: 
denied  { unlink } for  pid=4316 comm="sendmail" name="dfk3IHAC7p004316" 
dev=dm-4 ino=1149154 scontext=user_u:system_r:procmail_t:s0 
tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file
Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12705): avc: 
denied  { read } for  pid=4316 comm="sendmail" name="clientmqueue" 
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir

And finally for today, I have in /etc/procmailrc the following line:

LOGFILE=/var/log/procmail.log

For any account that doesn't override LOGFILE in a per-account 
.procmailrc, this causes procmail to log message delivery in 
/var/log/procmail.log. The policy appears to support logging via syslog 
(something I can't find how to configure), but not to files. Is that right?

Apr 18 17:05:51 goalkeeper kernel: audit(1145376351.930:12668): avc: 
denied  { search } for  pid=2774 comm="procmail" name="log" dev=dm-4 
ino=851969 scontext=user_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:var_log_t:s0 tclass=dir
Apr 18 17:05:51 goalkeeper kernel: audit(1145376351.966:12669): avc: 
denied  { append } for  pid=2774 comm="procmail" name="procmail.log" 
dev=dm-4 ino=852014 scontext=user_u:system_r:procmail_t:s0 
tcontext=user_u:object_r:var_log_t:s0 tclass=file

Paul.

More information about the fedora-selinux-list mailing list