Christopher J. PeBenito wrote:
On Fri, 2006-04-21 at 11:02 +0100, Paul Howarth wrote:
Paul Howarth wrote:
module procmail 0.1;
require {
[cut]
class dir { add_name getattr read remove_name search write }; class file { append create execute execute_no_trans getattr ioctl lock read rename unlink write }; class lnk_file read; class process { noatsecure sigchld siginh transition rlimitinh }; class fd { use }; class fifo_file { getattr read write append ioctl lock };[cut]
This does seem to work but surely there's a tidier way of handling those class requirements? What am I missing?
You want to use the "policy_module(procmail,0.1)" macro instead of the module statement at the top. It adds all of the kernel object classes, so you don't have to write them all out.
Thanks, that's much better:
policy_module(procmail, 0.2)
require { type procmail_t; type sbin_t; type var_log_t; };
# Needed for writing to /var/log/procmail.log allow procmail_t var_log_t:dir search; allow procmail_t var_log_t:file append;
# ============================================== # Procmail needs to call sendmail for forwarding # ============================================== # This should be in selinux-policy-2.2.34-2 onwards
# Read alternatives link allow procmail_t sbin_t:lnk_file read;
# Allow transition to sendmail # (may need similar code for other MTAs that can replace sendmail) optional_policy(`sendmail',` sendmail_domtrans(procmail_t) ')
Cheers, Paul.