I need a script invoked from procmail_t to run unconfined.

Thu May 2 05:58:44 UTC 2013

On 05/01/2013 12:01 PM, Dominick Grift wrote:
> On Tue, 2013-04-30 at 16:02 -0500, Robert Nichols wrote:
>> On 04/30/2013 12:39 PM, Robert Nichols wrote:
>>> I have a script invoked from a procmail recipe that needs to perform
>>> actions involving searching for processes by name, playing sound through
>>> pulseaudio, sending mail, plus a few others. When I run with enforcing=0
>>> I get 385 AVC denials (103KB, not attached), and that's _without_
>>> disabling the "dontaudit" rules, which would yield over 100 more
>>> denials.  The target contexts are not something I can change without
>>> totally destroying the current policy.
>>>
>>> Any suggestions other than the 120 "allow" rules that audit2allow would
>>> suggest (and that's without considering the "dontaudit" denials)?
>>>
>>> I'm getting _really_ tired of this.  I'm spending more time trying to
>>> get things to work under SELinux than it would take me to recover from a
>>> (highly unlikely) intrusion.  Sometimes the cost of insurance is just
>>> too high.
>> I tried setting up a domain transition, but it looks like a transition from
>> procmail_t to unconfined_t just isn't going to be allowed.  Since
>> unconfined_t already has an entrypoint unconfined_exec_t, the module I
>> installed is:
>>
>>       module procmail_uncon 1.0;
>>
>>       require {
>> 	type unconfined_t;
>> 	type unconfined_exec_t;
>> 	type procmail_t;
>> 	class process { transition sigchld };
>>       }
>>
>>       allow procmail_t unconfined_t : process { transition sigchld };
>>
> Looks like you are missing an actual domain transition rule. There is
> also something fishy going on with role based access control.
>
> Try this:
>
> sudo semodule -r procmail_uncon
>
> cat > mytest.te <<EOF
> policy_module(mytest, 1.0.0)
> optional_policy(`
> gen_require(`
> type procmail_t, unconfined_t, unconfined_exec_t;
> ')
> domtrans_pattern(procmail_t, unconfined_exec_t, unconfined_t)
> ')
> EOF
>
> make -f /usr/share/selinux/devel/Makefile mytest.pp
> sudo semodule -i mytest.pp
>
>
> Then try again, but keep a look out for any "SELINUX_ERR" messages in
> audit.log
>
> There may be some RBAC related issues yet to resolve.
>
> First things first: see where this gets you
>
>
>> That built and installed OK, and I gave the script the label
>> unconfined_u:object_r:unconfined_exec_t:s0, but when procmail tries to
>> execute it I get the error:
>>
>>       type=SELINUX_ERR msg=audit(1367353892.747:26477): security_compute_sid:
>> invalid context system_u:unconfined_r:procmail_t:s0 for
>> scontext=system_u:system_r:procmail_t:s0
>> tcontext=unconfined_u:object_r:unconfined_exec_t:s0 tclass=process
>>
>> and the desired transition does not occur.
>>
>> Did I do something wrong there, or is disabling SELinux my only recourse?
>>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I would go with a different way and create a new domain - 
procmail_unconfined_t and make this domain as unconfined domain.

# cat myprocmail.te

require{
  type procmail_t;
}

type procmail_unconfined_exec_t;
application_executable_file(procmail_unconfined_exec_t)

optional_policy(`
     type procmail_unconfined_t;
     domain_type(procmail_unconfined_t)

     domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t)
     role system_r types procmail_unconfined_t;

     domtrans_pattern(procmail_t, procmail_unconfined_exec_t, 
procmail_unconfined_t)

     allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms;
     allow procmail_t procmail_unconfined_exec_t:dir read_file_perms;
     allow procmail_t procmail_unconfined_exec_t:file ioctl;

     init_domtrans_script(procmail_unconfined_t)

     optional_policy(`
         unconfined_domain(procmail_unconfined_t)
     ')
')

# make -f /usr/share/selinux/devel/Makefile mytest.pp
# sudo semodule -i mytest.pp
# chcon -t procmail_unconfined_exec_t PATH_TO_YOU_SCRIPTS