Bug 225005 - procmail should have access to ls_exec_t
procmail should have access to ls_exec_t
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-27 04:52 EST by Michael De La Rue
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:02:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
actual audit log messages running with enforce off and basic policy (1.03 KB, text/plain)
2007-01-27 06:22 EST, Michael De La Rue
no flags Details

  None (edit)
Description Michael De La Rue 2007-01-27 04:52:52 EST
Description of problem:
Procmail is not allowed to run /bin/ls, which is needed by a standard procmail
rule.  Either this rule should not be recommended or this usage should be allowed.  

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-27.fc6
procmail-3.22-17.1

How reproducible:
every time

Steps to Reproduce:
1. add backup system to personal procmailrc according to procmailex manual page:

:0 c
backup

:0 ic
| cd backup && rm -f dummy `ls -t msg.* | sed -e 1,45d`

2. allow mail to arrive

Actual results:
avc: denied { signull } for comm="zsh" egid=500 euid=500 exe="/bin/zsh" exit=-13
fsgid=500 fsuid=500 gid=500 items=0 pid=5555
scontext=system_u:system_r:procmail_t:s0 sgid=500
subj=system_u:system_r:procmail_t:s0 suid=500 tclass=process
tcontext=system_u:system_r:procmail_t:s0 tty=(none) uid=500 

Expected results:
Since this is a standard recommended use of procmail, the use should be
permitted by default.  Alternatively, the procmail manual should have a
different example.  E.g. you could do just the same thing 

Additional info:
work around 
1. put above audit message into a file (e.g. procmail-fixme.avc)
2. audit2allow -M procmail   < procmail-fixme.avc
3. semodule -i procmail.pp
Comment 1 Michael De La Rue 2007-01-27 05:14:15 EST
oops.. wrong message cut and paste (though the other one should probably be
allowed too??) 

type=AVC msg=audit(1169892578.898:246): avc:  denied  { execute } for  pid=3904
comm="zsh" name="ls" dev=dm-0 ino=349198
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:ls_exec_t:s0
tclass=file
Comment 2 Michael De La Rue 2007-01-27 06:22:19 EST
Created attachment 146743 [details]
actual audit log messages running with enforce off and basic policy

just learning how to do it properly.. this seems to be what that should be fed
into audit2allow.
Comment 3 Daniel Walsh 2007-01-29 13:36:31 EST
Fixed in selinux-policy-2.4.6-33
Comment 4 Daniel Walsh 2007-08-22 10:02:52 EDT
Closed as all fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.