On Mon, 2006-06-19 at 15:34 -0500, Marc Schwartz (via MN) wrote:
On Mon, 2006-06-19 at 21:13 +0100, Paul Howarth wrote:
> On Mon, 2006-06-19 at 15:07 -0500, Marc Schwartz (via MN) wrote:
> > On Mon, 2006-06-12 at 17:40 +0100, Paul Howarth wrote:
> > > At this point it might be worth trying to remove some of the
"strange"
> > > policy items, such as:
> > >
> > > allow postfix_master_t man_t:file getattr;
> > >
> > > and see what, if anything fails. By doing this we might get some insight
> > > into what is actually happening, or if nothing breaks, we could
> > > dontaudit it instead of allowing it.
> > >
> > > Paul.
> >
> >
> > Paul,
> >
> > Apologies for the delay in my reply, as I was traveling (Vienna,
> > Austria) all of last week and got back late yesterday. My schedule there
> > ended up being busier than I expected and did not have a chance to get
> > to this.
> >
> > I tried to make the above modification to mypostfix.te, however when
> > going back to build all of the policy modules, I now get an error:
> >
> > Compiling targeted procmail module
> > /usr/bin/checkmodule: loading policy configuration from
> > tmp/procmail.tmp
> > procmail.te:41:ERROR 'syntax error' at token
'clamscan_domtrans' on line
> > 57484:
> > clamscan_domtrans(procmail_t)
> > # ==============================================
> > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > make: *** [tmp/procmail.mod] Error 1
> >
> >
> > Line 41 in procmail.te (as noted above) is:
> >
> > clamscan_domtrans(procmail_t)
> >
> >
> > This error occurs even without the modification to mypostfix.te, so I am
> > unclear as to what happened since the last time I was able to build them
> > all.
> >
> > I plead jet lag here and suspect that you might rapidly recognize what
> > is happening and have an easy fix. If you need me to check some files,
> > let me know.
>
> The interface name has changed in a recent selinux-policy update. New
> procmail.te:
>
> policy_module(procmail, 0.5.3)
>
> require {
> type procmail_t;
> type sendmail_t;
> };
>
> # temp files
> type procmail_tmp_t;
> files_tmp_file(procmail_tmp_t)
>
> # log files
> type procmail_var_log_t;
> logging_log_file(procmail_var_log_t)
>
> # Write log to /var/log/procmail.log
> allow procmail_t procmail_var_log_t:file create_file_perms;
> allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr };
> logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })
>
> # Allow programs called from procmail to read/write temp files and dirs
> allow procmail_t procmail_tmp_t:dir create_dir_perms;
> allow procmail_t procmail_tmp_t:file create_file_perms;
> files_type(procmail_tmp_t)
> files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })
>
> # Hide uninteresting things when debugging using enableaudit.pp
> mta_dontaudit_rw_queue(procmail_t)
>
> # ==============================================
> # Procmail needs to call sendmail for forwarding
> # ==============================================
>
> # Read alternatives link (still not in policy)
> corecmd_read_sbin_symlinks(procmail_t)
>
> # Procmail occasionally signals sendmail, e.g. when it times out during
> forwarding
> allow procmail_t sendmail_t:process signal;
>
> # Allow transition to sendmail
> # This is in selinux-policy-2.2.34-2 onwards
> # (may need similar code for other MTAs that can replace sendmail)
> # sendmail_domtrans(procmail_t)
>
> # ==============================================
> # Procmail needs to be able to call clamassassin
> # ==============================================
> clamav_domtrans_clamscan(procmail_t)
Thanks Paul!
OK, so the building goes OK, but now when I try to install the modules,
I get the following error:
# /usr/sbin/semodule -i procmail.pp
libsepol.class_copy_callback: procmail: Modules may not yet declare new classes.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
This occurs with each of the 5 modules.
Due to the recent change as well or is there something else that I need
to do before installing the new module(s)?
Not sure what that is. Can you try rebuilding all of the modules?
# rm *.pp
# make
Paul.