I need a script invoked from procmail_t to run unconfined.

Wed May 1 10:01:53 UTC 2013

On Tue, 2013-04-30 at 16:02 -0500, Robert Nichols wrote:
> On 04/30/2013 12:39 PM, Robert Nichols wrote:
> > I have a script invoked from a procmail recipe that needs to perform
> > actions involving searching for processes by name, playing sound through
> > pulseaudio, sending mail, plus a few others. When I run with enforcing=0
> > I get 385 AVC denials (103KB, not attached), and that's _without_
> > disabling the "dontaudit" rules, which would yield over 100 more
> > denials.  The target contexts are not something I can change without
> > totally destroying the current policy.
> >
> > Any suggestions other than the 120 "allow" rules that audit2allow would
> > suggest (and that's without considering the "dontaudit" denials)?
> >
> > I'm getting _really_ tired of this.  I'm spending more time trying to
> > get things to work under SELinux than it would take me to recover from a
> > (highly unlikely) intrusion.  Sometimes the cost of insurance is just
> > too high.
> 
> I tried setting up a domain transition, but it looks like a transition from
> procmail_t to unconfined_t just isn't going to be allowed.  Since
> unconfined_t already has an entrypoint unconfined_exec_t, the module I
> installed is:
> 
>      module procmail_uncon 1.0;
> 
>      require {
> 	type unconfined_t;
> 	type unconfined_exec_t;
> 	type procmail_t;
> 	class process { transition sigchld };
>      }
> 
>      allow procmail_t unconfined_t : process { transition sigchld };
> 

Looks like you are missing an actual domain transition rule. There is
also something fishy going on with role based access control.

Try this:

sudo semodule -r procmail_uncon

cat > mytest.te <<EOF
policy_module(mytest, 1.0.0)
optional_policy(`
gen_require(`
type procmail_t, unconfined_t, unconfined_exec_t;
')
domtrans_pattern(procmail_t, unconfined_exec_t, unconfined_t)
')
EOF

make -f /usr/share/selinux/devel/Makefile mytest.pp
sudo semodule -i mytest.pp

Then try again, but keep a look out for any "SELINUX_ERR" messages in
audit.log

There may be some RBAC related issues yet to resolve.

First things first: see where this gets you

> That built and installed OK, and I gave the script the label
> unconfined_u:object_r:unconfined_exec_t:s0, but when procmail tries to
> execute it I get the error:
> 
>      type=SELINUX_ERR msg=audit(1367353892.747:26477): security_compute_sid: 
> invalid context system_u:unconfined_r:procmail_t:s0 for 
> scontext=system_u:system_r:procmail_t:s0 
> tcontext=unconfined_u:object_r:unconfined_exec_t:s0 tclass=process
> 
> and the desired transition does not occur.
> 
> Did I do something wrong there, or is disabling SELinux my only recourse?
> 