procmail vs amanda selinux hits

Gene Heskett gene.heskett at verizon.net
Thu Jan 17 02:12:49 UTC 2008 

On Wednesday 16 January 2008, Paul Howarth wrote:
>Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Gene Heskett wrote:
>>> Greetings;
>>>
>>> At about the time the backup program amanda is due to send me an email,
>>> I'm getting popups from selinux.
>>>
>>> Amanda is at times trying to send the user gene an email, some of which I
>>> do
>>>
>>> get, but:
>>> >From setroubleshoot:
>>>
>>> SUMMARY
>>> SELinux is preventing /usr/bin/procmail (procmail_t) "search" to
>>> (var_log_t).
>
>On a related matter, I sometimes like to use a system-wide procmail
>script (/etc/procmailrc) and have system-wide procmail logs to go with
>that, which can be done by putting in /etc/procmailrc something like:
>
>LOGFILE=/var/log/procmail.log
>or
>LOGFILE=/var/log/procmail/$LOGNAME
>
>Current policy doesn't cater for this, so I added:
>
>
>myprocmail.te
>
>policy_module(myprocmail, 0.5.6)
>
>require {
>         type procmail_t;
>         type sendmail_t;
>};
>
># log files
>type procmail_log_t;
>logging_log_file(procmail_log_t)
>
># Write log to /var/log/procmail.log or /var/log/procmail/.*
>allow procmail_t procmail_log_t:dir setattr;
>create_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
>append_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
>read_lnk_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
>logging_log_filetrans(procmail_t,procmail_log_t, { file dir })
>
># ==============================================
># Procmail needs to call sendmail for forwarding
># ==============================================
>
># Read alternatives link (still not in policy?)
>corecmd_read_bin_symlinks(procmail_t)
>
># Procmail occasionally signals sendmail, e.g. when it times out during
>forwarding
>sendmail_signal(procmail_t)
>
>
>myprocmail.fc
>
>/var/log/procmail\.log  --
>gen_context(system_u:object_r:procmail_log_t,s0)
>/var/log/procmail(/.*)?
>gen_context(system_u:object_r:procmail_log_t,s0)
>
>
>
>
>
>The last bits of policy are things I've had locally for a couple of
>Fedora releases now; not sure if they're in current policy but I think
>they should be.
>
>Cheers, Paul.
>
Thanks guys, it sounds like the next release will fix this.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If A equals success, then the formula is _A = _X + _Y + _Z.  _X is work.  
_Y
is play.  _Z is keep your mouth shut.
		-- Albert Einstein

More information about the fedora-selinux-list mailing list