On Mon, 2006-06-19 at 15:07 -0500, Marc Schwartz (via MN) wrote:
On Mon, 2006-06-12 at 17:40 +0100, Paul Howarth wrote:
> At this point it might be worth trying to remove some of the "strange"
> policy items, such as:
>
> allow postfix_master_t man_t:file getattr;
>
> and see what, if anything fails. By doing this we might get some insight
> into what is actually happening, or if nothing breaks, we could
> dontaudit it instead of allowing it.
>
> Paul.
Paul,
Apologies for the delay in my reply, as I was traveling (Vienna,
Austria) all of last week and got back late yesterday. My schedule there
ended up being busier than I expected and did not have a chance to get
to this.
I tried to make the above modification to mypostfix.te, however when
going back to build all of the policy modules, I now get an error:
Compiling targeted procmail module
/usr/bin/checkmodule: loading policy configuration from
tmp/procmail.tmp
procmail.te:41:ERROR 'syntax error' at token 'clamscan_domtrans' on line
57484:
clamscan_domtrans(procmail_t)
# ==============================================
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/procmail.mod] Error 1
Line 41 in procmail.te (as noted above) is:
clamscan_domtrans(procmail_t)
This error occurs even without the modification to mypostfix.te, so I am
unclear as to what happened since the last time I was able to build them
all.
I plead jet lag here and suspect that you might rapidly recognize what
is happening and have an easy fix. If you need me to check some files,
let me know.
The interface name has changed in a recent selinux-policy update. New
procmail.te:
policy_module(procmail, 0.5.3)
require {
type procmail_t;
type sendmail_t;
};
# temp files
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
# log files
type procmail_var_log_t;
logging_log_file(procmail_var_log_t)
# Write log to /var/log/procmail.log
allow procmail_t procmail_var_log_t:file create_file_perms;
allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })
# Allow programs called from procmail to read/write temp files and dirs
allow procmail_t procmail_tmp_t:dir create_dir_perms;
allow procmail_t procmail_tmp_t:file create_file_perms;
files_type(procmail_tmp_t)
files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })
# Hide uninteresting things when debugging using enableaudit.pp
mta_dontaudit_rw_queue(procmail_t)
# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================
# Read alternatives link (still not in policy)
corecmd_read_sbin_symlinks(procmail_t)
# Procmail occasionally signals sendmail, e.g. when it times out during
forwarding
allow procmail_t sendmail_t:process signal;
# Allow transition to sendmail
# This is in selinux-policy-2.2.34-2 onwards
# (may need similar code for other MTAs that can replace sendmail)
# sendmail_domtrans(procmail_t)
# ==============================================
# Procmail needs to be able to call clamassassin
# ==============================================
clamav_domtrans_clamscan(procmail_t)
Paul.