postfix, procmail and SELinux - No Go
Paul Howarth
paul at city-fan.org
Tue May 30 19:09:23 UTC 2006
On Tue, 2006-05-30 at 20:56 +0200, Nicolas Mailhot wrote:
> Getting postfix + procmail + selinux to work is hard as :
> - the postfix bits are exposed to the external world so they have tight
> permissions
> - procmail is essentially a script multiplexer, not good at all from a
> security perspective every action added to the procmailrc needs to have
> been predicted, audited and authorized by the policy authors
This conflict is resolved, at least for the sendmail/procmail
combination, by having a domain transition to procmail_t when sendmail
calls procmail. So sendmail remains more restricted than procmail.
> - procmailrc is in /home, default policy dontaudits a lot of the stuff
> happening there
You can get the dontaudit rules removed by changing the base policy:
# semodule -b /usr/share/selinux/targeted/enableaudit.pp
The dontaudit rules can be restored using:
# semodule -b /usr/share/selinux/targeted/base.pp
> - selinux policy authors don't seem to run or test this combo
Can't help there; I use sendmail myself.
> I spent weeks reporting bugs on this before FC5 - every selinux update
> seemed to break procmail + postfix in new mysterious ways. If you find
> the time to get the Fedora Devel policy ironed out for postfix +
> procmail and manage somewhat to convince policy authors to check they
> don't break it every other release I'll be very grateful.
I had a lot of trouble with FC4 too and gave up reporting issues. It's
much easier to do fixes with FC5 and the modular policy IMO. The things
I'm reporting now are getting fixed too :-)
Paul.
More information about the fedora-selinux-list
mailing list