procmail
Paul Howarth
paul at city-fan.org
Tue Apr 18 17:26:02 UTC 2006
Daniel J Walsh wrote:
> Paul Howarth wrote:
>> I use procmail as my local delivery agent from sendmail. In FC5 this
>> appears to be running as procmail_t.
>>
>> Procmail offers the ability to pipe mail through programs (filters),
>> and I use this facility from time to time. I'm getting quite a lot of
>> denials when doing this and wonder what the right approach to fixing
>> them is.
>>
>>
>>
>> Case 1: a locally-written shell script called "spamdomain"
>>
>> This is in my ~/bin directory and of type user_home_t
>>
>> Procmail recipe:
>> SPAMDOMAIN=`spamdomain`
>>
>> Result:
>>
>> Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8006): avc:
>> denied { execute } for pid=16622 comm="procmail" name="spamdomain"
>> dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0
>> tcontext=user_u:object_r:user_home_t:s0 tclass=file
>>
>> Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8007): avc:
>> denied { execute_no_trans } for pid=16622 comm="procmail"
>> name="spamdomain" dev=dm-1 ino=1399071
>> scontext=system_u:system_r:procmail_t:s0
>> tcontext=user_u:object_r:user_home_t:s0 tclass=file
>>
>>
> You could relabel it bin_t?
>
> chcon -t bin_t ~/bin/spamdomain
That seems to have worked nicely.
>> Case 2: piping mail through "sa-learn"
>>
>> I run spamass-milter to reject mail in-protocol and then my own local
>> filter using procmail on anything that gets through. If I'm sure
>> something's spam, I like spamassassin to learn about it so I might
>> reject it earlier in future. So I pipe it through sa-learn
>> (spamd_exec_t):
>>
> Shouldn't sa-learn be labeled spamc_exec_t?
>
> If you change it to
>
> chcon -t spamc_exec_t /usr/bin/sa-learn
>
> Does it work?
That's looking OK so far too.
Next issue. One of the actions a procmail recipe can have is to forward
mail somewhere else. It uses sendmail to do this. Running sendmail from
procmail doesn't seem to involve a domain transition, so I get:
Try to read alternatives link for sendmail:
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.428:12692): avc:
denied { read } for pid=4316 comm="procmail" name="sendmail" dev=dm-3
ino=131309 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=lnk_file
Try to run sendmail:
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.432:12693): avc:
denied { execute } for pid=4316 comm="procmail"
name="sendmail.sendmail" dev=dm-3 ino=131306
scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12694): avc:
denied { execute_no_trans } for pid=4316 comm="procmail"
name="sendmail.sendmail" dev=dm-3 ino=131306
scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12695): avc:
denied { read } for pid=4316 comm="procmail" name="sendmail.sendmail"
dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Sendmail running in procmail_t instead of sendmail_t:
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.548:12696): avc:
denied { search } for pid=4316 comm="sendmail" name="clientmqueue"
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.548:12697): avc:
denied { getattr } for pid=4316 comm="sendmail" name="clientmqueue"
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12698): avc:
denied { write } for pid=4316 comm="sendmail" name="clientmqueue"
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12699): avc:
denied { add_name } for pid=4316 comm="sendmail"
name="dfk3IHAC7p004316" scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12700): avc:
denied { create } for pid=4316 comm="sendmail" name="dfk3IHAC7p004316"
scontext=user_u:system_r:procmail_t:s0
tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.592:12701): avc:
denied { lock } for pid=4316 comm="sendmail" name="dfk3IHAC7p004316"
dev=dm-4 ino=1149154 scontext=user_u:system_r:procmail_t:s0
tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file
Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.628:12702): avc:
denied { name_connect } for pid=4316 comm="sendmail" dest=587
scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12703): avc:
denied { remove_name } for pid=4316 comm="sendmail"
name="dfk3IHAC7p004316" dev=dm-4 ino=1149154
scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12704): avc:
denied { unlink } for pid=4316 comm="sendmail" name="dfk3IHAC7p004316"
dev=dm-4 ino=1149154 scontext=user_u:system_r:procmail_t:s0
tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file
Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12705): avc:
denied { read } for pid=4316 comm="sendmail" name="clientmqueue"
dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
And finally for today, I have in /etc/procmailrc the following line:
LOGFILE=/var/log/procmail.log
For any account that doesn't override LOGFILE in a per-account
.procmailrc, this causes procmail to log message delivery in
/var/log/procmail.log. The policy appears to support logging via syslog
(something I can't find how to configure), but not to files. Is that right?
Apr 18 17:05:51 goalkeeper kernel: audit(1145376351.930:12668): avc:
denied { search } for pid=2774 comm="procmail" name="log" dev=dm-4
ino=851969 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=dir
Apr 18 17:05:51 goalkeeper kernel: audit(1145376351.966:12669): avc:
denied { append } for pid=2774 comm="procmail" name="procmail.log"
dev=dm-4 ino=852014 scontext=user_u:system_r:procmail_t:s0
tcontext=user_u:object_r:var_log_t:s0 tclass=file
Paul.
More information about the selinux
mailing list