Bug 609536 - SELinux Targeted policy does not allow procmail to execute custom filters in home directories
SELinux Targeted policy does not allow procmail to execute custom filters in ...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.5
All Linux
low Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-30 10:29 EDT by Robert Vogelgesang
Modified: 2011-05-19 06:35 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-19 06:35:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux policy module source to allow procmail filters in home directories (320 bytes, text/plain)
2010-07-01 11:32 EDT, Robert Vogelgesang
no flags Details

  None (edit)
Description Robert Vogelgesang 2010-06-30 10:29:18 EDT
Description of problem:
The current version in RHEL-5.5 of the SELinux Targeted policy does not allow procmail to execute custom filter scripts in home directories, e. g. in $HOME/bin/.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-279.el5
selinux-policy-targeted-2.4.6-279.el5
procmail-3.22-17.1

How reproducible:
Always.

Steps to Reproduce:
1. Configure a standard mail receiving server using sendmail and procmail
2. Configure a .procmailrc with a rule ending in something like
   | $HOME/bin/mailfilter
   where $HOME/bin/mailfilter is a custom Perl or Shell script executable
3. Send an email to the user with this .procmailrc, which triggers the relevant rule
  
Actual results:
The SELinux prevents the custom script from getting started. The audit.log contains something like:
type=AVC msg=audit(1277904033.382:4451): avc:  denied  { execute } for pid=2553 comm="procmail" name="mailfilter" dev=vdb1 ino=4866073 scontext=root:system_r:procmail_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

Expected results:
The script runs and receives the email content, no AVC entry in audit.log.

Additional info:
setroubleshootd produces an associated entry in /var/log/messages, and running sealert with the ID from that entry reveals a suggestion to run restorecon on the script file; doing this changes nothing, i. e. all remains perfectly repeatable.
Comment 1 Robert Vogelgesang 2010-07-01 11:32:48 EDT
Created attachment 428477 [details]
SELinux policy module source to allow procmail filters in home directories

I was able to fix the SELinux policy problems that appeared with procmail filters in subdirectories of $HOME with a new SELinux policy module.

The module not only allows executing filter scripts, but also following symlinks in case the home directories are on different "media" and symlinked from /home/.
Comment 4 Miroslav Grepl 2011-05-19 06:35:42 EDT
This should be fixed in the current policy release in RHEL5.6.

Note You need to log in before you can comment on or make changes to this bug.