Root not allowed to use procmail??????

Dominick Grift domg472 at gmail.com
Mon Apr 5 12:46:00 UTC 2010 

On Mon, Apr 05, 2010 at 08:22:14AM -0400, Daniel J Walsh wrote:
> On 04/05/2010 04:47 AM, Dominick Grift wrote:
> >type procmail_home_t;
> >userdom_user_home_content(procmail_home_t)
> >
> >optional_policy(`
> >gen_require(`
> >	type procmail_t;
> >')
> >
> >manage_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
> >manage_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
> >userdom_user_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
> >userdom_admin_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
> >userdom_search_user_home_dirs(procmail_t)
> >userdom_search_admin_dir(procmail_t)
> >')
> >
> >myprocmail.fc:
> >
> >HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
> >/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
> >
> >make -f /usr/share/selinux/devel/Makefile myprocmail.pp
> >sudo semodule -i myprocmail.pp
> >sudo restorecon -v/root/.procmailrc
> >
> I will add this, but there is a comment in the current policy
> 
> # only works until we define a different type for maildir
> userdom_manage_user_home_content_dirs(procmail_t)
> userdom_manage_user_home_content_files(procmail_t)
> userdom_manage_user_home_content_symlinks(procmail_t)
> userdom_manage_user_home_content_pipes(procmail_t)
> userdom_manage_user_home_content_sockets(procmail_t)
> userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir
> file lnk_file fifo_file sock_file })
> 
> 
> Should we add a file context for maildir and add the symlinks,
> pipes,sockets for procmail_home_t?

I later noticed that comment as well and this probably complicates matters as procmail 
is likely not the only service that needs access to maildir. Also i believe there are different methods of
storing e-mail. One of which is maildir another mbox i believe. There are probably more.

So i think we should figure out the locations and formats for storing e-mail and i think we should use a generic type for mail content in the user dirs.

I wonder what the reason is that this has not been implemented yet (who made the comment in refpolicy and why?)

> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100405/c1058ffe/attachment.bin

More information about the selinux mailing list