-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/17/2012 07:32 PM, Chuck Anderson wrote:
I'm using EL 6.2 with sendmail & procmail. I'm having
trouble with calling
custom scripts in my home directory from .procmailrc such as this recipe:
###################################################### # # BACKUP INCOMING
MAIL # # Stores the last 16 messages in a backup folder. # "Just in Case"
# # Create a folder in your $MAILDIR called "backup" # BEFORE you execute
this procmail recipe. # :0 c backup
:0 ic | /home/cra/bin/procmail-prune-backup-msg
The script is labeled with home_bin_t:
-rwxr-xr-x. cra cra system_u:object_r:home_bin_t:s0
/home/cra/bin/procmail-prune-backup-msg
which is a Bourne Shell script similar to this:
#!/bin/sh cd /home/cra/mail/backup /bin/ls -t | /bin/grep ^msg\. | /bin/sed
-e 1,256d | /usr/bin/xargs -n 256 /bin/rm -f
In my procmail log I get:
/bin/sh: /home/cra/bin/procmail-prune-backup-msg: Permission denied
It works if I "setenforce 0".
With Enforcing, here is the AVC I get (after enabling dontaudit rules with
semodule -DB):
# ausearch -i -m AVC type=SYSCALL msg=audit(05/17/2012 19:17:15.773:273) :
arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=1c8d460
a1=0 a2=1c8d487 a3=28 items=0 ppid=5252 pid=5257 auid=root uid=cra gid=cra
euid=cra suid=cra fsuid=cra egid=cra sgid=cra fsgid=cra tty=(none) ses=1
comm=sh exe=/bin/bash subj=unconfined_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(05/17/2012 19:17:15.773:273) : avc: denied { search }
for pid=5257 comm=sh name=bin dev=dm-10 ino=2760827
scontext=unconfined_u:system_r:procmail_t:s0
tcontext=user_u:object_r:home_bin_t:s0 tclass=dir
I did a bunch of research on this and found this old changelog entry and
the discussions/bugzillas leading up to it:
#rpm -q selinux-policy selinux-policy-3.7.19-126.el6_2.10.noarch
#rpm -q --changelog selinux-policy ... * Tue May 25 2010 Dan Walsh
<dwalsh(a)redhat.com> 3.7.19-22 - Allow procmail to execute scripts in the
users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label
Was there a recent regression that broke this functionality or did it not
really make it into Enterprise Linux despite this changelog? Any ideas on
how to fix this cleanly without having to disable Enforcing mode?
Thanks. -- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Hey chuck, could you check to see if this is fixed by installing the 6.3
policy. Preview currently available at:
people.redhat.com/dwalsh/SELinux/RHEL6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk+2XgUACgkQrlYvE4MpobNT9gCfYdkEQ/m0JDFQXouQdsX104w9
+qMAoMJuW4F19wHZvbPYmKyBlEPuB17Y
=1f3c
-----END PGP SIGNATURE-----