Re: Postfix pipe command and python scripts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Fabrizio Buratta wrote:
> Hi everybody.
> 
> This problem with selinux is exhausting my little head:
> 
> I wrote a python script in order to provide out of office mail system to my
> postfix mailserver on Centos5. This script use sqlite module to connect to a
> db file and store some information about email replies, users etc.  I invoke
> my script from /etc/postfix/master.cf :
> 
> autoreply       unix    -       n       n       -       -       pipe
>   flags= user=vacation
> argv=/etc/config_files/postfix/autoresponder/vacation.py --deliver ${sender}
> -- ${recipient}
> 
> whose permissions are: (ls -Z /etc/config_files/postfix/autoresponder/)
> 
> -rwxrwxrwx  vacation vacation system_u:object_r:etc_t          database.db
> -rwxrwxrwx  vacation vacation system_u:object_r:postfix_pipe_exec_t
> vacation.py
> 
> The latter context was set by me to allow /urs/libexec/postfix/pipe to be
> able to execute my script (i wouldn't use this kind of dirty "tricks"). If i
> leave with its canonical context , postfix will
> complain saying it has not permission to execute vacation.py.
> 
> Assuming this configuration right,  my script is able to connect and
> retrieve information by the database (select statement ) but cannot write on
> it (database.db) . Take a look at audit log:
> 
> type=SYSCALL msg=audit(1211975254.056:1341): arch=c000003e syscall=2
> success=no exit=-13 a0=27f4ec0 a1=42 a2=1a4 a3=1 items=0 ppid=7203 pi\
> d=7212 auid=0 uid=514 gid=514 euid=514 suid=514 fsuid=514 egid=514 sgid=514
> fsgid=514 tty=(none) comm="python" exe="/usr/bin/python" subj=\
> root:system_r:postfix_pipe_t:s0 key=(null)
> type=AVC msg=audit(1211975254.060:1342): avc:  denied  { write } for
> pid=7206 comm="python" name="localUsers.db" dev=dm-0 ino=262646 scon\
> text=root:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:etc_t:s0
> tclass=file
> 
> I Guess python sqlite function cannot create journaling files which is
> required by sqlite to modify a database (i've also tried to add a PRAGMA
> statement fo change the temporary directory and python complains that it is
> not writable .....even /tmp dir) . Actually if i disable selinux everyhing
> works, but i don't want to do it at all.
> 
> I have no ideas anymore to solve it out. If i create a new policy package
> form my audit.log using :
> 
>  audit2allow -i /var/log/audit/audit.log -m vacation > vacation.te etc....
> 
> and loading it with semodule the issue doesn't run away.
> 
> Any help will be  really appreciated
> 
> Fabrizio
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Looking at the policy postfix_pipe_t is able to write to postfix_spool_t
or postfix_var_run_t,  So you could change the labeling of the file to
one of those context.


chcon -t postfix_var_run_t
/etc/config_files/postfix/autoresponder/database.db

To make this permanent
semanage fcontext -a t postfix_var_run_t
/etc/config_files/postfix/autoresponder/database.db

Or you could move the database file to a directory that is already
labeled postfix_spool_t or postfix_var_run_t.

Or you can define a new type postfix_db_t and allow postfix_pipe to
write to the file.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux