Hello!
Would you be so kind as to give me a hint why postfix's pipe command tries to execute a custom script with execute_no_trans? Details follow.
Here we have a combination of Spamassassin and DrWeb virus scaner. Due to lame DrWeb programs stupidity one has to create a shell script that first passes a mail through spamassassin and then throws it to DrWeb. I have created a custom selinux module of my own named ql_spamassassin to (try to) put this combination under selinux control. So I have defined my own type `ql_spamassassin_client_exec_t' for the script and ql_spamassassin_client_t domain type. And I have | | domain_entry_file(ql_spamassassin_client_t,ql_spamassassin_client_exec_t) | domain_auto_trans(postfix_pipe_t,ql_spamassassin_client_exec_t,ql_spamassassin_client_t) | to allow postfix_pipe_t execute the script and perform the type transition. The module has been compiled and loaded into the kernel quite successfully, but I still get the execution denials: | | type=AVC msg=audit(1150125191.592:740): avc: denied { execute_no_trans } for pid=2793 comm="pipe" name="PostFix.mail.SpamAssassin.spamfilter.sh" dev=md9 ino=56842 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:ql_spamassassin_client_exec_t:s0 tclass=file | type=SYSCALL msg=audit(1150125191.592:740): arch=40000003 syscall=11 success=no exit=-13 a0=804e410 a1=804e0a8 a2=804e550 a3=3d09 items=1 pid=2793 auid=4294967295 uid=15625 gid=15625 euid=15625 suid=15625 fsuid=15625 egid=15625 sgid=15625 fsgid=15625 comm="pipe" exe="/usr/libexec/postfix/pipe" | type=AVC_PATH msg=audit(1150125191.592:740): path="/usr/local/sbin/PostFix.mail.SpamAssassin.spamfilter.sh" | type=CWD msg=audit(1150125191.592:740): cwd="/var/spool/postfix" | type=PATH msg=audit(1150125191.592:740): item=0 name="/usr/local/sbin/PostFix.mail.SpamAssassin.spamfilter.sh" flags=101 inode=56842 dev=09:09 mode=0100555 ouid=0 ogid=0 rdev=00:00 | The system is FC5. SElinux related packages: checkpolicy-1.30.3-1.fc5 libselinux-1.30-1.fc5 libselinux-python-1.30-1.fc5 libsepol-1.12.6-1.fc5 policycoreutils-1.30.10-1.fc5 selinux-policy-2.2.40-1.fc5 selinux-policy-targeted-2.2.40-1.fc5 kernel-smp-2.6.16-1.2133_FC5 Please, give me a hint, what's wrong here. Thank you.
QingLong.