Root not allowed to use procmail??????
Paul Howarth
paul at city-fan.org
Mon Apr 5 19:46:14 UTC 2010
On Mon, 5 Apr 2010 14:46:00 +0200
Dominick Grift <domg472 at gmail.com> wrote:
> On Mon, Apr 05, 2010 at 08:22:14AM -0400, Daniel J Walsh wrote:
> > On 04/05/2010 04:47 AM, Dominick Grift wrote:
> > >type procmail_home_t;
> > >userdom_user_home_content(procmail_home_t)
> > >
> > >optional_policy(`
> > >gen_require(`
> > > type procmail_t;
> > >')
> > >
> > >manage_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
> > >manage_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
> > >userdom_user_home_dir_filetrans(procmail_t, procmail_home_t, { dir
> > >file }) userdom_admin_home_dir_filetrans(procmail_t,
> > >procmail_home_t, { dir file })
> > >userdom_search_user_home_dirs(procmail_t)
> > >userdom_search_admin_dir(procmail_t) ')
> > >
> > >myprocmail.fc:
> > >
> > >HOME_DIR/\.procmailrc --
> > >gen_context(system_u:object_r:procmail_home_t,
> > >s0) /root/\.procmailrc --
> > >gen_context(system_u:object_r:procmail_home_t, s0)
> > >
> > >make -f /usr/share/selinux/devel/Makefile myprocmail.pp
> > >sudo semodule -i myprocmail.pp
> > >sudo restorecon -v/root/.procmailrc
> > >
> > I will add this, but there is a comment in the current policy
> >
> > # only works until we define a different type for maildir
> > userdom_manage_user_home_content_dirs(procmail_t)
> > userdom_manage_user_home_content_files(procmail_t)
> > userdom_manage_user_home_content_symlinks(procmail_t)
> > userdom_manage_user_home_content_pipes(procmail_t)
> > userdom_manage_user_home_content_sockets(procmail_t)
> > userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir
> > file lnk_file fifo_file sock_file })
> >
> >
> > Should we add a file context for maildir and add the symlinks,
> > pipes,sockets for procmail_home_t?
>
> I later noticed that comment as well and this probably complicates
> matters as procmail is likely not the only service that needs access
> to maildir.
Indeed it isn't. I use dovecot IMAP server, which is configured to
serve mail delivered to maildir directories within users' home
directories (and it could handle mbox and possibly other formats too,
though maildir is faster and better from a backup perspective).
Paul.
More information about the selinux
mailing list