Re: procmail
Christopher J. PeBenito wrote:
On Fri, 2006-04-21 at 11:02 +0100, Paul Howarth wrote:
> Paul Howarth wrote:
> module procmail 0.1;
>
> require {
[cut]
> class dir { add_name getattr read remove_name search write };
> class file { append create execute execute_no_trans getattr ioctl lock read
rename unlink write };
> class lnk_file read;
> class process { noatsecure sigchld siginh transition rlimitinh };
> class fd { use };
> class fifo_file { getattr read write append ioctl lock };
[cut]
> This does seem to work but surely there's a tidier way of handling those
> class requirements? What am I missing?
You want to use the "policy_module(procmail,0.1)" macro instead of the
module statement at the top. It adds all of the kernel object classes,
so you don't have to write them all out.
Thanks, that's much better:
policy_module(procmail, 0.2)
require {
type procmail_t;
type sbin_t;
type var_log_t;
};
# Needed for writing to /var/log/procmail.log
allow procmail_t var_log_t:dir search;
allow procmail_t var_log_t:file append;
# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================
# This should be in selinux-policy-2.2.34-2 onwards
# Read alternatives link
allow procmail_t sbin_t:lnk_file read;
# Allow transition to sendmail
# (may need similar code for other MTAs that can replace sendmail)
optional_policy(`sendmail',`
sendmail_domtrans(procmail_t)
')
Cheers, Paul.