LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-14-2008, 02:30 AM   #1
thomasz
LQ Newbie
 
Registered: Mar 2008
Posts: 1

Rep: Reputation: 0
How to execute a Perl script in ~/.procmailrc with SELinux set to Enforcing?


Hi!

I am installing the mail processor for Request-Tracker (RT). The basic idea is to forward all messages for a certain subdomain (i.e. rt.company.com) to a specific user and then execute a Perl script for each message using procmail.

My system is running CentOS 5.1 and sendmail. SELinux is enabled and set to enforcing mode.

I have setup the processing rules to ~/.procmailrc for the user:

Code:
# Uncomment VERBOSE and LOGFILE for debugging, they're helpful at times.
VERBOSE=1
LOGFILE=$HOME/.procmail.log
LOCKFILE=$HOME/.procmail.LCK
ARG1=$1
EXTENSION=`echo $ARG1 | awk -F. '{ print $1 }'`
SUFFIX=`echo $ARG1 | awk -F. '{ print $2 }'`

# if spam, drop it!
:0:
* ^X-Spam-Status: Yes
/dev/null

# if no list of actions, default action is correspond
:0
* ? test -z "$SUFFIX"
|/etc/smrsh/rt-mailgate --extension queue --action correspond --url url-removed

# Otherwise, if we DO have a list of actions, run with them. 
:0 E
* ? test ! -z "$SUFFIX"
{
  :0
  |/etc/smrsh/rt-mailgate --extension queue --action $SUFFIX --url url-removed
}
When a message is received SELinux forbids the execution of the Perl script:

Code:
type=AVC msg=audit(1205484249.254:4985): avc:  denied  { execute } for  pid=4016 comm="procmail" name="rt-mailgate" dev=dm-0 ino=278496 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=SYSCALL msg=audit(1205484249.254:4985): arch=40000003 syscall=11 success=no exit=-13 a0=8c1cd90 a1=8c1e980 a2=8c1ebb0 a3=6 items=0 ppid=4006 pid=4016 auid=500 uid=505 gid=507 euid=505 suid=505 fsuid=505 egid=507 sgid=12 fsgid=507 tty=(none) comm="procmail" exe="/usr/bin/procmail" subj=user_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1205484249.260:4986): avc:  denied  { read } for  pid=4016 comm="sh" name="rt-mailgate" dev=dm-0 ino=278496 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=SYSCALL msg=audit(1205484249.260:4986): arch=40000003 syscall=5 success=no exit=-13 a0=8615360 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=4016 auid=500 uid=505 gid=507 euid=505 suid=505 fsuid=505 egid=507 sgid=507 fsgid=507 tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:procmail_t:s0 key=(null)
I have tried executing the script /usr/sbin/rt-mailgate directly and by using a symbolic link /etc/smrsh/rt-mailgate. They both fail.

Code:
# ls -la /usr/sbin/rt-mailgate 
-rwxr-xr-x 1 root root 9836 13. maalis 14:05 /usr/sbin/rt-mailgate
# ls -la /etc/smrsh/rt-mailgate 
lrwxrwxrwx 1 root root 21 13. maalis 23:34 /etc/smrsh/rt-mailgate -> /usr/sbin/rt-mailgate
The obvious solution that multiple guides mention is to disable SELinux, but I don't want to do that. Another solution is to use /etc/aliases, but then I would have to maintain that file everytime a new ticket queue is added to RT.

Any idea how I can allow procmail and the user to execute the script without disabling SELinux?

Thank you in advance!

Best regards,
Thomas
 
Old 03-14-2008, 05:25 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
audit2allow to the rescue...

Quote:
Originally Posted by thomasz View Post
Hi!
Hello and welcome to LQ. Hope you like it here.
If you don't mind me asking, how did you find LQ?


Quote:
Originally Posted by thomasz View Post
I have setup the processing rules to ~/.procmailrc for the user:
This is an unprivileged user (with ID >= 500), right?


Quote:
Originally Posted by thomasz View Post
I have tried executing the script /usr/sbin/rt-mailgate directly and by using a symbolic link /etc/smrsh/rt-mailgate. They both fail.
/etc/smrsh/ is the location for Sendmail *itself* to execute things from, not for ordinary users to use. You say both commands fail. You mean running those as unprivileged user? Any errors displayed that could point to configuration issues or not using the right arguments?


Quote:
Originally Posted by thomasz View Post
# ls -la /usr/sbin/rt-mailgate
If you run SELinux and suspect problems with that, add "-Z" to see the security context. This also works with other utilities like 'ps'.


Quote:
Originally Posted by thomasz View Post
The obvious solution that multiple guides mention is to disable SELinux
No the obvious misconception is to disable it. Most guides will tell you to disable SELinux because they want to move on to the next step, not explaining the security benefits of SELinux and the consequences of disabling it. SELinux "targeted" policy and tools now are capable of much more, so adjusting it should be no problem.


Quote:
Originally Posted by thomasz View Post
Another solution is to use /etc/aliases, but then I would have to maintain that file everytime a new ticket queue is added to RT.
Even that could be automated, but let's leave that as a last resort option.


Quote:
Originally Posted by thomasz View Post
Any idea how I can allow procmail and the user to execute the script without disabling SELinux?
If I "translate" your AVC messages to something more readable I get:
Code:
avc: process name="rt-mailgate" (running in scontext=user_u:system_r:procmail_t:s0) is not allowed to { execute } exe="/usr/bin/procmail"  (which runs in tcontext=system_u:object_r:sbin_t:s0)
avc:  process name="rt-mailgate" (running in scontext=user_u:system_r:procmail_t:s0) is not allowed to { read } exe="/bin/bash" (which runs in tcontext=system_u:object_r:sbin_t:s0)
If I would translate that into a local policy addition the rule could look like:
Code:
allow procmail_t sbin_t:file { read execute };
...but that isn't complete and possibly not too restrictive.


Luckily for you there's a *way easier* approach to solving AVC problems and that's running "audit2allow", my most recent commandset is here: http://www.linuxquestions.org/questi...78#post3073278

Last edited by unSpawn; 03-14-2008 at 05:27 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
perl script to execute my a c executable on remote machin sharad Linux - General 5 12-14-2006 07:56 AM
How to set up cron job to execute bash script lgmqy2000 Linux - General 4 11-22-2006 04:29 AM
Apache/PHP problems with Selinux enforcing.... maxie_fc3 Fedora 0 01-11-2005 07:40 AM
Why cant i execute a perl script dude4you Linux - Newbie 2 03-02-2004 05:50 PM
set content-type to 'text/html' in sendmail, using perl script brokenfeet Programming 3 08-05-2003 02:12 PM


All times are GMT -5. The time now is 10:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration