On Mon, 2006-06-19 at 15:07 -0500, Marc Schwartz (via MN) wrote:
On Mon, 2006-06-12 at 17:40 +0100, Paul Howarth wrote:
At this point it might be worth trying to remove some of the "strange" policy items, such as:
allow postfix_master_t man_t:file getattr;
and see what, if anything fails. By doing this we might get some insight into what is actually happening, or if nothing breaks, we could dontaudit it instead of allowing it.
Paul.
Paul,
Apologies for the delay in my reply, as I was traveling (Vienna, Austria) all of last week and got back late yesterday. My schedule there ended up being busier than I expected and did not have a chance to get to this.
I tried to make the above modification to mypostfix.te, however when going back to build all of the policy modules, I now get an error:
Compiling targeted procmail module /usr/bin/checkmodule: loading policy configuration from tmp/procmail.tmp procmail.te:41:ERROR 'syntax error' at token 'clamscan_domtrans' on line 57484: clamscan_domtrans(procmail_t) # ============================================== /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/procmail.mod] Error 1
Line 41 in procmail.te (as noted above) is:
clamscan_domtrans(procmail_t)
This error occurs even without the modification to mypostfix.te, so I am unclear as to what happened since the last time I was able to build them all.
I plead jet lag here and suspect that you might rapidly recognize what is happening and have an easy fix. If you need me to check some files, let me know.
The interface name has changed in a recent selinux-policy update. New procmail.te:
policy_module(procmail, 0.5.3)
require { type procmail_t; type sendmail_t; };
# temp files type procmail_tmp_t; files_tmp_file(procmail_tmp_t)
# log files type procmail_var_log_t; logging_log_file(procmail_var_log_t)
# Write log to /var/log/procmail.log allow procmail_t procmail_var_log_t:file create_file_perms; allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr }; logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })
# Allow programs called from procmail to read/write temp files and dirs allow procmail_t procmail_tmp_t:dir create_dir_perms; allow procmail_t procmail_tmp_t:file create_file_perms; files_type(procmail_tmp_t) files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })
# Hide uninteresting things when debugging using enableaudit.pp mta_dontaudit_rw_queue(procmail_t)
# ============================================== # Procmail needs to call sendmail for forwarding # ==============================================
# Read alternatives link (still not in policy) corecmd_read_sbin_symlinks(procmail_t)
# Procmail occasionally signals sendmail, e.g. when it times out during forwarding allow procmail_t sendmail_t:process signal;
# Allow transition to sendmail # This is in selinux-policy-2.2.34-2 onwards # (may need similar code for other MTAs that can replace sendmail) # sendmail_domtrans(procmail_t)
# ============================================== # Procmail needs to be able to call clamassassin # ============================================== clamav_domtrans_clamscan(procmail_t)
Paul.