I need a script invoked from procmail_t to run unconfined.
Robert Nichols
rnicholsNOSPAM at comcast.net
Tue Apr 30 21:02:12 UTC 2013
On 04/30/2013 12:39 PM, Robert Nichols wrote:
> I have a script invoked from a procmail recipe that needs to perform
> actions involving searching for processes by name, playing sound through
> pulseaudio, sending mail, plus a few others. When I run with enforcing=0
> I get 385 AVC denials (103KB, not attached), and that's _without_
> disabling the "dontaudit" rules, which would yield over 100 more
> denials. The target contexts are not something I can change without
> totally destroying the current policy.
>
> Any suggestions other than the 120 "allow" rules that audit2allow would
> suggest (and that's without considering the "dontaudit" denials)?
>
> I'm getting _really_ tired of this. I'm spending more time trying to
> get things to work under SELinux than it would take me to recover from a
> (highly unlikely) intrusion. Sometimes the cost of insurance is just
> too high.
I tried setting up a domain transition, but it looks like a transition from
procmail_t to unconfined_t just isn't going to be allowed. Since
unconfined_t already has an entrypoint unconfined_exec_t, the module I
installed is:
module procmail_uncon 1.0;
require {
type unconfined_t;
type unconfined_exec_t;
type procmail_t;
class process { transition sigchld };
}
allow procmail_t unconfined_t : process { transition sigchld };
That built and installed OK, and I gave the script the label
unconfined_u:object_r:unconfined_exec_t:s0, but when procmail tries to
execute it I get the error:
type=SELINUX_ERR msg=audit(1367353892.747:26477): security_compute_sid:
invalid context system_u:unconfined_r:procmail_t:s0 for
scontext=system_u:system_r:procmail_t:s0
tcontext=unconfined_u:object_r:unconfined_exec_t:s0 tclass=process
and the desired transition does not occur.
Did I do something wrong there, or is disabling SELinux my only recourse?
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the selinux
mailing list