Bug 212893

Summary: SELinux targeted policy + NFS mounted /home blocks procmail
Product: [Fedora] Fedora Reporter: W. Michael Petullo <redhat>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-01 20:34:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Log of procmail running with SELinux in permissive mode none

Description W. Michael Petullo 2006-10-30 00:33:13 UTC 
Description of problem:
I have an NFS-mounted /home.  When I use fetchmail to retrieve my mail, procmail
can not process it because SELinux's targeted policy does not grant the
appropriate operations.  The context of objects in /home is
system_u:object_r:nfs_t:s0.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.3.18-10

How reproducible:
Every time

Steps to Reproduce:
1. Set SELinux to enforce the targeted policy
2. NFS mount /home
3. Fetch mail and try to process using procmail
  
Actual results:
Mail is not processed by procmail.  See attached log.

Expected results:


Additional info:
My .procmailrc includes /etc/mail/spamassassin/spamassassin-default.rc.
Comment 1 W. Michael Petullo 2006-10-30 00:33:13 UTC 
Created attachment 139687 [details]
Log of procmail running with SELinux in permissive mode
Comment 2 Daniel Walsh 2006-10-30 19:28:46 UTC 
fixed in selinux-policy-2.4.2-2
Comment 3 W. Michael Petullo 2006-11-01 20:34:39 UTC 
Confirmed fixed.  Thank you.
Comment 4 Tethys 2008-06-05 23:43:24 UTC 
I'm still getting what appears to be that same problem in F9.
The following additions seem to fix it:

allow procmail_t nfs_t:file { execute execute_no_trans };

I would reopen this bug, but apparently I don't have permissions
to do so...
Comment 5 Daniel Walsh 2008-06-16 10:12:22 UTC 
You could open a new bug.  What is procmail attempting to execute in the home
directory?

You can add this rule using 

grep procmail /var/log/audit/audit.log | audit2allow -M myprocmail
semodule -i myprocmail.pp