I'm attempting to write an RBAC policy for my system with ~10 odd users.
It's a mail system mostly. Mail comes in, is handed to procmail and procmail writes the mail out to /home/<username>/Maildir/
I'm trying to figure out how to have one rule that covers all users to allow for this case.
At the moment, full learning has given me a bunch of Roles, each with
- Code: Select all
subject /usr/bin/procmail o {
user_transition_allow the_user root nobody
group_transition_allow the_user mail nogroup
/ h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null a
/dev/port h
/etc h
/etc/group r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/passwd r
/etc/procmailrc r
/home h
/home/the_user
/home/the_user/.procmailrc r
/home/the_user/Maildir wcdl
Is there a way I can do something like:
- Code: Select all
domain mailusers user1 user2 user2 user4 user...
subject /usr/bin/procmail o {
user_transition_allow the_user root nobody
group_transition_allow the_user mail nogroup
/ h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null a
/dev/port h
/etc h
/etc/group r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/passwd r
/etc/procmailrc r
/home h
/home/$user
/home/$user/.procmailrc r
/home/$user/Maildir wcdl
Having read the Wikibook, I don't think there is?
My options appear to be let procmail have write access to everything under /home, or have individual policies for each user.
Does anyone have a more optimal solution?
Thanks!
