Bug 225005 - procmail should have access to ls_exec_t
Summary: procmail should have access to ls_exec_t
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 6
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-27 09:52 UTC by Michael De La Rue
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 14:02:52 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
actual audit log messages running with enforce off and basic policy (1.03 KB, text/plain)
2007-01-27 11:22 UTC, Michael De La Rue 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Description Michael De La Rue 2007-01-27 09:52:52 UTC 
Description of problem:
Procmail is not allowed to run /bin/ls, which is needed by a standard procmail
rule.  Either this rule should not be recommended or this usage should be allowed.  

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-27.fc6
procmail-3.22-17.1

How reproducible:
every time

Steps to Reproduce:
1. add backup system to personal procmailrc according to procmailex manual page:

:0 c
backup

:0 ic
| cd backup && rm -f dummy `ls -t msg.* | sed -e 1,45d`

2. allow mail to arrive

Actual results:
avc: denied { signull } for comm="zsh" egid=500 euid=500 exe="/bin/zsh" exit=-13
fsgid=500 fsuid=500 gid=500 items=0 pid=5555
scontext=system_u:system_r:procmail_t:s0 sgid=500
subj=system_u:system_r:procmail_t:s0 suid=500 tclass=process
tcontext=system_u:system_r:procmail_t:s0 tty=(none) uid=500 

Expected results:
Since this is a standard recommended use of procmail, the use should be
permitted by default.  Alternatively, the procmail manual should have a
different example.  E.g. you could do just the same thing 

Additional info:
work around 
1. put above audit message into a file (e.g. procmail-fixme.avc)
2. audit2allow -M procmail   < procmail-fixme.avc
3. semodule -i procmail.pp
Comment 1 Michael De La Rue 2007-01-27 10:14:15 UTC 
oops.. wrong message cut and paste (though the other one should probably be
allowed too??) 

type=AVC msg=audit(1169892578.898:246): avc:  denied  { execute } for  pid=3904
comm="zsh" name="ls" dev=dm-0 ino=349198
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:ls_exec_t:s0
tclass=file
Comment 2 Michael De La Rue 2007-01-27 11:22:19 UTC 
Created attachment 146743 [details]
actual audit log messages running with enforce off and basic policy

just learning how to do it properly.. this seems to be what that should be fed
into audit2allow.
Comment 3 Daniel Walsh 2007-01-29 18:36:31 UTC 
Fixed in selinux-policy-2.4.6-33
Comment 4 Daniel Walsh 2007-08-22 14:02:52 UTC 
Closed as all fixes are in the current release
Note You need to log in before you can comment on or make changes to this bug.