Bug 212893 - SELinux targeted policy + NFS mounted /home blocks procmail
SELinux targeted policy + NFS mounted /home blocks procmail
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-10-29 19:33 EST by W. Michael Petullo
Modified: 2008-06-16 06:12 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-11-01 15:34:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Log of procmail running with SELinux in permissive mode (6.76 KB, text/plain)
2006-10-29 19:33 EST, W. Michael Petullo
no flags Details

  None (edit)
Description W. Michael Petullo 2006-10-29 19:33:13 EST
Description of problem:
I have an NFS-mounted /home.  When I use fetchmail to retrieve my mail, procmail
can not process it because SELinux's targeted policy does not grant the
appropriate operations.  The context of objects in /home is

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Set SELinux to enforce the targeted policy
2. NFS mount /home
3. Fetch mail and try to process using procmail
Actual results:
Mail is not processed by procmail.  See attached log.

Expected results:

Additional info:
My .procmailrc includes /etc/mail/spamassassin/spamassassin-default.rc.
Comment 1 W. Michael Petullo 2006-10-29 19:33:13 EST
Created attachment 139687 [details]
Log of procmail running with SELinux in permissive mode
Comment 2 Daniel Walsh 2006-10-30 14:28:46 EST
fixed in selinux-policy-2.4.2-2
Comment 3 W. Michael Petullo 2006-11-01 15:34:39 EST
Confirmed fixed.  Thank you.
Comment 4 Tethys 2008-06-05 19:43:24 EDT
I'm still getting what appears to be that same problem in F9.
The following additions seem to fix it:

allow procmail_t nfs_t:file { execute execute_no_trans };

I would reopen this bug, but apparently I don't have permissions
to do so...
Comment 5 Daniel Walsh 2008-06-16 06:12:22 EDT
You could open a new bug.  What is procmail attempting to execute in the home

You can add this rule using 

grep procmail /var/log/audit/audit.log | audit2allow -M myprocmail
semodule -i myprocmail.pp

Note You need to log in before you can comment on or make changes to this bug.