[CentOS] selinux - centos 6.3 - mail

Mon Dec 24 17:00:00 UTC 2012
Larry Martell <larry.martell at gmail.com>

On Mon, Dec 24, 2012 at 9:51 AM, Gregory P. Ennis <PoMec at pomec.net> wrote:
> Everyone,
> I recently had a disc drive failure on a centos 5.8 internal mail
> server.  I replaced the drive and installed centos 6.3.   I had selinux
> turned off on the 5.8 machine, and with the upgrade to 6.3 decided to
> leave selinux active with the hopes I had learned enough to be able to
> use it.
> I have a couple of perl scripts that are activated by email that prints
> the contents of the mail packet on a printer.  I have been able to fix
> the temporary directories that are used with changes of selinux
> permissions, but I have not been able to make everything work with the
> command :
> $arg = ("lp -o raw -d $LPT  $MAILFILEO");
> system($arg);
> I get the following log entry :
> Can't exec "lp": Permission denied at /usr/local/bin/s.printer.process
> line 190, <FILEI> line 19.
> Any ideas how I can get 'lp' to accept usage from the 'mail' user
> account?  Everything works ok when selinux is turned off.  I would like
> to keep it on at this point.
> Thanks,
> Greg Ennis
> Forgot to put in the results of ausearch -m avc
> type=SYSCALL msg=audit(1356364738.939:49185): arch=40000003 syscall=11 success=no exit=-13 a0=bfd992c5 a1=89c6df0 a2=89b8d58 a3=89b8d82 items=0 ppid=31198 pid=31200 auid=0 uid=8 gid=12 euid=8 suid=8 fsuid=8 egid=12 sgid=12 fsgid=12 tty=(none) ses=104 comm="s.printer.proce" exe="/usr/bin/perl" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)
> type=AVC msg=audit(1356364738.939:49185): avc:  denied  { execute } for  pid=31200 comm="s.printer.proce" name="lp.cups" dev=sda7 ino=1064276 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:lpr_exec_t:s0 tclass=file

This post: http://www.lefred.be/?q=node/129 has very good instructions
on how to create the selinux policy from your audit.log.