Bug 187935 - SELinux Doesn't Let Postfix CC E-mail using Procmail
SELinux Doesn't Let Postfix CC E-mail using Procmail
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2006-04-04 14:04 EDT by Ben Carner
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: fixed in selinux-policy-2.2.38-1.FC5.
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-09 17:04:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ben Carner 2006-04-04 14:04:25 EDT
Description of problem:
This is an obscure problem.  Basically it involves three packages: Postfix,
Procmail, and SELinux (Possibly TCSH as well).  On my FC4 Postfix mail server,
with SELinux Targetted policy, I cannot have Procmail CC or forward e-mail I
receive to an outside system.  My .procmailrc file is set to CC my phone
(different e-mail address on a different system) when I get e-mail from certain
senders.  This worked fine until I upgraded to FC4 (And activated SELinux
Targetted policy), then it silently stopped. After tracing the problem over many
months, I discovered that SELinux is not allowing postfix_local_t (The context
that Procmail is apparently running under) to access the 'sendmail' command, and
thus my CC dies and my alerts are not sent.

Version-Release number of selected component (if applicable):
Fedora Core 4 (Updated as of April 3 2006)

How reproducible:

Steps to Reproduce:
1. Use Postfix as MTA
2. Enable Targetted policy in SELinux
3. Setup a ~/.procmailrc file to forward or CC e-mail to an outside address
4. Check audit.log for errors such as:
<pre>type=AVC msg=audit(1143517619.762:8619): avc:  denied  { read } for 
pid=30024 comm="procmail" name="sendmail" dev=dm-3 
ino=1081577 scontext=root:system_r:postfix_local_t
tcontext=system_u:object_r:sbin_t tclass=lnk_file</pre>

Actual results:
CC not sent

Expected results:
CC sent

Additional info:
I am using TCSH as my shell, and I get a lot of errors when it is invoked by
Postfix/Procmail since it is not able to read /etc/profile.d/*.csh, but that
doesn't seem to do more than fill up my audit.log file.
Running audit2allow gives me the following:
allow postfix_local_t etc_t:file ioctl; (Seems to be the above-mentioned *.csh
allow postfix_local_t initrc_var_run_t:file getattr; (Not sure about this one)
allow postfix_local_t self:file read; (Or this one)
allow postfix_local_t sbin_t:lnk_file read; (This is the one where it's bailing
on sendmail (Which is a link to sendmail.postfix since that is my MTA)
Comment 1 Ben Carner 2006-04-18 00:40:59 EDT
Has anyone looked at this?
Comment 2 Daniel Walsh 2006-04-19 10:41:27 EDT
I believe this is fixed in FC5. Have you tried this on FC5?

In FC4 we did not have procmail policy, so I believe this is what is causing the

We could either add procmail to FC4 policy or add these allow rules.

Comment 3 Ben Carner 2006-04-19 16:28:29 EDT
No, I have not yet tried FC5. I've been waiting for it to stabilize a bit before
I break my machines with it.

FC4 has some procmail rules, but they seem baseline, which would make sense if
the policy was never really fleshed out.

Personally, I would like more than just the allow rules. They strike me as
possibly a bit over-broad.  I would like to see a full(er) policy, especially if
it wouldn't be too much trouble to backport it from FC5.
Comment 5 Ben Carner 2006-05-09 12:26:00 EDT
Any luck on this?  If it is too much effort to backport the Procmail rules from
FC5, I would be happy with just adding the allow rules.
Comment 6 Daniel Walsh 2006-05-09 17:04:29 EDT
Just add the allow rules.  We are not planning on backporting to FC4.

Note You need to log in before you can comment on or make changes to this bug.