postfix, procmail and SELinux - No Go

Tue Jun 20 07:08:33 UTC 2006

On Mon, 2006-06-19 at 15:34 -0500, Marc Schwartz (via MN) wrote:
> On Mon, 2006-06-19 at 21:13 +0100, Paul Howarth wrote:
> > On Mon, 2006-06-19 at 15:07 -0500, Marc Schwartz (via MN) wrote:
> > > On Mon, 2006-06-12 at 17:40 +0100, Paul Howarth wrote:
> > > > At this point it might be worth trying to remove some of the "strange" 
> > > > policy items, such as:
> > > > 
> > > > allow postfix_master_t man_t:file getattr;
> > > > 
> > > > and see what, if anything fails. By doing this we might get some insight 
> > > > into what is actually happening, or if nothing breaks, we could 
> > > > dontaudit it instead of allowing it.
> > > > 
> > > > Paul.
> > > 
> > > 
> > > Paul,
> > > 
> > > Apologies for the delay in my reply, as I was traveling (Vienna,
> > > Austria) all of last week and got back late yesterday. My schedule there
> > > ended up being busier than I expected and did not have a chance to get
> > > to this.
> > > 
> > > I tried to make the above modification to mypostfix.te, however when
> > > going back to build all of the policy modules, I now get an error:
> > > 
> > > Compiling targeted procmail module
> > > /usr/bin/checkmodule:  loading policy configuration from
> > > tmp/procmail.tmp
> > > procmail.te:41:ERROR 'syntax error' at token 'clamscan_domtrans' on line
> > > 57484:
> > > clamscan_domtrans(procmail_t)
> > > # ==============================================
> > > /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> > > make: *** [tmp/procmail.mod] Error 1
> > > 
> > > 
> > > Line 41 in procmail.te (as noted above) is:
> > > 
> > > clamscan_domtrans(procmail_t)
> > > 
> > > 
> > > This error occurs even without the modification to mypostfix.te, so I am
> > > unclear as to what happened since the last time I was able to build them
> > > all.
> > > 
> > > I plead jet lag here and suspect that you might rapidly recognize what
> > > is happening and have an easy fix. If you need me to check some files,
> > > let me know.
> > 
> > The interface name has changed in a recent selinux-policy update. New
> > procmail.te:
> > 
> > policy_module(procmail, 0.5.3)
> > 
> > require {
> >         type procmail_t;
> >         type sendmail_t;
> > };
> > 
> > # temp files
> > type procmail_tmp_t;
> > files_tmp_file(procmail_tmp_t)
> > 
> > # log files
> > type procmail_var_log_t;
> > logging_log_file(procmail_var_log_t)
> > 
> > # Write log to /var/log/procmail.log
> > allow procmail_t procmail_var_log_t:file create_file_perms;
> > allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr };
> > logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })
> > 
> > # Allow programs called from procmail to read/write temp files and dirs
> > allow procmail_t procmail_tmp_t:dir create_dir_perms;
> > allow procmail_t procmail_tmp_t:file create_file_perms;
> > files_type(procmail_tmp_t)
> > files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })
> > 
> > # Hide uninteresting things when debugging using enableaudit.pp
> > mta_dontaudit_rw_queue(procmail_t)
> > 
> > # ==============================================
> > # Procmail needs to call sendmail for forwarding
> > # ==============================================
> > 
> > # Read alternatives link (still not in policy)
> > corecmd_read_sbin_symlinks(procmail_t)
> > 
> > # Procmail occasionally signals sendmail, e.g. when it times out during
> > forwarding
> > allow procmail_t sendmail_t:process signal;
> > 
> > # Allow transition to sendmail
> > # This is in selinux-policy-2.2.34-2 onwards
> > # (may need similar code for other MTAs that can replace sendmail)
> > # sendmail_domtrans(procmail_t)
> > 
> > # ==============================================
> > # Procmail needs to be able to call clamassassin
> > # ==============================================
> > clamav_domtrans_clamscan(procmail_t)
> 
> Thanks Paul!
> 
> OK, so the building goes OK, but now when I try to install the modules,
> I get the following error:
> 
> # /usr/sbin/semodule -i procmail.pp
> libsepol.class_copy_callback: procmail: Modules may not yet declare new classes.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule:  Failed!
> 
> 
> This occurs with each of the 5 modules.
> 
> Due to the recent change as well or is there something else that I need
> to do before installing the new module(s)?

Not sure what that is. Can you try rebuilding all of the modules?

# rm *.pp
# make

Paul.