procmail with nfs home dirs

Fri Sep 8 18:43:28 UTC 2006

Paul Howarth wrote:
> On Thu, 2006-09-07 at 19:38 -0400, Matthew Gillen wrote:
>   
>> Daniel J Walsh wrote:
>>     
>>> Matthew Gillen wrote:
>>>       
>>>> Hi,
>>>> I'm new to SELinux, and I was having some problems with procmail not
>>>> working
>>>> correctly for me with NFS (via NIS-based autofs) home directories on FC5.
>>>>
>>>> There seemed to be a discussion about a similar issue a while back:
>>>> http://www.redhat.com/archives/fedora-list/2006-May/msg03265.html
>>>> but the solutions there didn't solve my problem.
>>>>
>>>> In any event, I managed to get it working for myself using the following
>>>> policy module.  The 'autofs_t:dir search' part seemed to be needed to
>>>> find
>>>> my .procmailrc file, and the rest looks like it is needed to write
>>>> messages
>>>> into my maildirs under $HOME/Mail/
>>>>
>>>> If anyone has suggestions on how to improve this I'd be happy to hear
>>>> them.
>>>> Thanks,
>>>> Matt
>>>>
>>>> --------------------------------------
>>>> module procmailnfs 1.0;
>>>>
>>>> require {
>>>>         class dir { getattr search write };
>>>>         class file { append getattr read };
>>>>         type autofs_t;
>>>>         type default_t;
>>>>         type procmail_t;
>>>>         role system_r;
>>>> };
>>>>
>>>> allow procmail_t autofs_t:dir search;
>>>> allow procmail_t default_t:dir { getattr search write };
>>>> allow procmail_t default_t:file { append getattr read };
>>>> --------------------------------------
>>>>
>>>>   
>>>>         
>>> This looks like a labeling problem.  What directory is labeled default_t?
>>>       
>> I think I need to explain a bit more about my setup.  Basically, I've got
>> one machine that's an NIS+NFS server and a mail server.  This machine has
>> /export/home set up as one of it's nfs shares.
>> After a '/sbin/restorecon -v -R /export/home', the ls -Z output for
>> /export/home/username is system_u:object_r:default_t.
>>
>> Here's where it gets interesting.  The NFS server will automount from itself
>> for users in NIS.  If I log into the NFS server as 'username', and do 'ls
>> -lZd /home/username', the result is 'system_u:object_r:default_t'.  However,
>> if I'm on some other machine (that is an NFS client), the 'ls -Z' output for
>> /home/username is 'system_u:object_r:nfs_t'
>>
>> On both machines, (the NFS server+client and the pure client) the ls -Z
>> output for /home indicates 'system_u:object_r:autofs_t'
>>
>> So, maybe what's ultimately going on is that there's a bug in setting the
>> context for a locally-served NFS share?
>>     
>
> I think it's much simpler than that; there is no default context
> for /export/home (Fedora home directories default to /home rather
> than /export/home) and that's why restorecon didn't change anything.
>
> Are the home directories in the NIS database listed as being in /home
> or /export/home?
>
> Paul.
>
>
>
>   

Yes the question is where are the homedirs comeing from an what are they 
labeled?  Are you doing a bind mount on the local machine.

Try
chcon -t home_root_t /export/home