Bug 187935 - SELinux Doesn't Let Postfix CC E-mail using Procmail
Summary: SELinux Doesn't Let Postfix CC E-mail using Procmail
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-04-04 18:04 UTC by Ben Carner
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: fixed in selinux-policy-2.2.38-1.FC5.
Clone Of:
Environment:
Last Closed: 2006-05-09 21:04:29 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Ben Carner 2006-04-04 18:04:25 UTC 
Description of problem:
This is an obscure problem.  Basically it involves three packages: Postfix,
Procmail, and SELinux (Possibly TCSH as well).  On my FC4 Postfix mail server,
with SELinux Targetted policy, I cannot have Procmail CC or forward e-mail I
receive to an outside system.  My .procmailrc file is set to CC my phone
(different e-mail address on a different system) when I get e-mail from certain
senders.  This worked fine until I upgraded to FC4 (And activated SELinux
Targetted policy), then it silently stopped. After tracing the problem over many
months, I discovered that SELinux is not allowing postfix_local_t (The context
that Procmail is apparently running under) to access the 'sendmail' command, and
thus my CC dies and my alerts are not sent.

Version-Release number of selected component (if applicable):
Fedora Core 4 (Updated as of April 3 2006)
postfix-2.2.2-2
procmail-3.22-16
selinux-policy-targeted-1.27.1-2.22

How reproducible:
Always

Steps to Reproduce:
1. Use Postfix as MTA
2. Enable Targetted policy in SELinux
3. Setup a ~/.procmailrc file to forward or CC e-mail to an outside address
4. Check audit.log for errors such as:
<pre>type=AVC msg=audit(1143517619.762:8619): avc:  denied  { read } for 
pid=30024 comm="procmail" name="sendmail" dev=dm-3 
ino=1081577 scontext=root:system_r:postfix_local_t
tcontext=system_u:object_r:sbin_t tclass=lnk_file</pre>

  
Actual results:
CC not sent

Expected results:
CC sent

Additional info:
I am using TCSH as my shell, and I get a lot of errors when it is invoked by
Postfix/Procmail since it is not able to read /etc/profile.d/*.csh, but that
doesn't seem to do more than fill up my audit.log file.
Running audit2allow gives me the following:
allow postfix_local_t etc_t:file ioctl; (Seems to be the above-mentioned *.csh
files)
allow postfix_local_t initrc_var_run_t:file getattr; (Not sure about this one)
allow postfix_local_t self:file read; (Or this one)
allow postfix_local_t sbin_t:lnk_file read; (This is the one where it's bailing
on sendmail (Which is a link to sendmail.postfix since that is my MTA)
Comment 1 Ben Carner 2006-04-18 04:40:59 UTC 
Has anyone looked at this?
Comment 2 Daniel Walsh 2006-04-19 14:41:27 UTC 
I believe this is fixed in FC5. Have you tried this on FC5?

In FC4 we did not have procmail policy, so I believe this is what is causing the
problem.

We could either add procmail to FC4 policy or add these allow rules.
Comment 3 Ben Carner 2006-04-19 20:28:29 UTC 
No, I have not yet tried FC5. I've been waiting for it to stabilize a bit before
I break my machines with it.

FC4 has some procmail rules, but they seem baseline, which would make sense if
the policy was never really fleshed out.

Personally, I would like more than just the allow rules. They strike me as
possibly a bit over-broad.  I would like to see a full(er) policy, especially if
it wouldn't be too much trouble to backport it from FC5.
Comment 5 Ben Carner 2006-05-09 16:26:00 UTC 
Any luck on this?  If it is too much effort to backport the Procmail rules from
FC5, I would be happy with just adding the allow rules.
Comment 6 Daniel Walsh 2006-05-09 21:04:29 UTC 
Just add the allow rules.  We are not planning on backporting to FC4.
Note You need to log in before you can comment on or make changes to this bug.