Getting postfix + procmail + selinux to work is hard as :
- the postfix bits are exposed to the external world so they have tight
permissions
- procmail is essentially a script multiplexer, not good at all from a
security perspective every action added to the procmailrc needs to have
been predicted, audited and authorized by the policy authors
- procmailrc is in /home, default policy dontaudits a lot of the stuff
happening there
- selinux policy authors don't seem to run or test this combo
I spent weeks reporting bugs on this before FC5 - every selinux update
seemed to break procmail + postfix in new mysterious ways. If you find
the time to get the Fedora Devel policy ironed out for postfix +
procmail and manage somewhat to convince policy authors to check they
don't break it every other release I'll be very grateful.
I don't have too much time nowadays so I've stopped testing for a few
months
--
Nicolas Mailhot