190087 – procmail is effectively blocked from delivering into local mh folders

Bug 190087 - procmail is effectively blocked from delivering into local mh folders

Summary: procmail is effectively blocked from delivering into local mh folders

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-04-27 13:42 UTC by Doug Maxey
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-10-05 14:07:19 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
.forward file (84 bytes, text/plain) 2006-04-27 17:53 UTC, Doug Maxey	no flags	Details
file to use as ~/.procmailrc (341 bytes, text/plain) 2006-04-27 18:51 UTC, Doug Maxey	no flags	Details
View All

Description Doug Maxey 2006-04-27 13:42:33 UTC

Description of problem:
I have a mail setup where sendmail uses my .forward, which in turn runs a
procmail recipe to deliver to local mh folders on a separate filesystem still
maintained from an fc3 syste.  After installing fc5, for each mail received, a
message similar to the following is generated:
---
audit(1143556960.136:3319): avc:  denied  { search } for  pid=25725
comm="procmail" name="dwm" dev=hde1 ino=3020545
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=dir
---
each mail received message this message, and each mail is rejected.

I ran setfiles with the same context that /var/spool/mail/user had, but that
made no difference.  I see no indication what the correct context should be to
have procmail succesfully deliver the file.

Version-Release number of selected component (if applicable):
fc5

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.
  
Actual results:
disabled selinux

Expected results:
Mail can be delivered by procmail to local mh folders with selinux enabled.

Additional info:
If there was some indication of how to map from the local context to the one
wanted by selinux for procmail, that would be a wonderful thing.

Comment 1 Daniel Walsh 2006-04-27 17:28:48 UTC

You have something on your system without a label.  IE It is labeled file_t. 
This indicates a labeling problme on either the entire system or at least the
disk that you are trying to write to.  You can relabel the entire system via

touch /.autorelabel
reboot 

or just the disk by executing 

restorecon -R -v /MOUNTPOINT

Comment 2 Doug Maxey 2006-04-27 17:53:01 UTC

Created attachment 128315 [details]
.forward file

Comment 3 Doug Maxey 2006-04-27 18:51:39 UTC

Created attachment 128318 [details]
file to use as ~/.procmailrc

simple recipe to file all to one folder

Comment 4 Doug Maxey 2006-04-27 18:58:19 UTC

(In reply to comment #1)
> You have something on your system without a label.  IE It is labeled file_t. 

Maybe the only saved dmesg indicates that, but the folders and files involved
were relabeled at separate times with 

user_u:object_r:user_home_t:s0 and 
system_u:object_r:mail_spool_t:s0

but this made no difference.

There is some other transition missing.  Sorry that I can't revert at the moment
to try it here, when I do the mail bounces and the list servers all drop me.

If you have a victim, setup to send everything to inbox with the attached
.forward and .procmailrc.

Comment 6 Daniel Walsh 2006-05-09 17:02:25 UTC

Are you seeing any other avc messages in /var/log/messages or
/var/log/audit/audit.log?

Comment 7 Daniel Walsh 2006-10-05 14:07:19 UTC

Closing for lack of response.

Note You need to log in before you can comment on or make changes to this bug.