Paul Howarth wrote:
One of the actions a procmail recipe can have is to forward mail somewhere else. It uses sendmail to do this. Running sendmail from procmail doesn't seem to involve a domain transition, so I get:
Try to read alternatives link for sendmail: Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.428:12692): avc: denied { read } for pid=4316 comm="procmail" name="sendmail" dev=dm-3 ino=131309 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=lnk_file
Try to run sendmail: Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.432:12693): avc: denied { execute } for pid=4316 comm="procmail" name="sendmail.sendmail" dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12694): avc: denied { execute_no_trans } for pid=4316 comm="procmail" name="sendmail.sendmail" dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12695): avc: denied { read } for pid=4316 comm="procmail" name="sendmail.sendmail" dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
I see from rawhide report that something to address this has gone into selinux-policy-2.2.34-2 (thanks).
Anyway, I tried fixing it myself as follows yesterday:
module procmail 0.1;
require { role object_r; role system_r;
class dir { add_name getattr read remove_name search write }; class file { append create execute execute_no_trans getattr ioctl lock read rename unlink write }; class lnk_file read; class process { noatsecure sigchld siginh transition rlimitinh }; class fd { use }; class fifo_file { getattr read write append ioctl lock };
type procmail_t; type var_log_t; type sbin_t; };
# Needed for writing to /var/log/procmail.log allow procmail_t var_log_t:dir search; allow procmail_t var_log_t:file append;
# Procmail needs to call sendmail for forwarding allow procmail_t sbin_t:lnk_file read; optional_policy(`sendmail',` sendmail_domtrans(procmail_t) ')
This does seem to work but surely there's a tidier way of handling those class requirements? What am I missing?
Paul.