In response to a thread on the mailman-users list regarding problems
creating a new list via mailman's web interface¹, I did some testing
on CentOS 5 and Fedora 9. There are a small number of SELinux denials
when using mailman with postfix that would be nice to get fixed up.
For background, mailman has some nice integration with postfix which
allows list aliases to be setup automatically (as opposed to having an
admin manually add new list aliases to /etc/aliases or what have you).
This is documented in the mailman install manual².
When setting up mailman to work with postfix, the following denials
are seen on Fedora 9 (they are slightly different on CentOS 5,
unsurprisingly):
type=AVC msg=audit(1226861409.980:83): avc: denied { search } for pid=24239 comm="postalias" name="postfix" dev=sda2 ino=213317 scontext=unconfined_u:system_r:mailman_cgi_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir
type=AVC msg=audit(1226861409.980:83): avc: denied { read } for pid=24239 comm="postalias" name="main.cf" dev=sda2 ino=216184 scontext=unconfined_u:system_r:mailman_cgi_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file
type=AVC msg=audit(1226861409.990:84): avc: denied { getattr } for pid=24239 comm="postalias" path="/etc/postfix/main.cf" dev=sda2 ino=216184 scontext=unconfined_u:system_r:mailman_cgi_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file
type=AVC msg=audit(1226861755.237:93): avc: denied { read write } for pid=24597 comm="mailman" path="socket:[1115689]" dev=sockfs ino=1115689 scontext=system_u:system_r:mailman_mail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=udp_socket
Using audit2allow, I ended up with the following policy:
module mailmanpostfix 1.0;
require {
type mailman_cgi_t;
type mailman_mail_t;
type postfix_etc_t;
type postfix_local_t;
class dir search;
class file { read getattr };
class udp_socket { read write };
}
#============= mailman_cgi_t ==============
allow mailman_cgi_t postfix_etc_t:dir search;
allow mailman_cgi_t postfix_etc_t:file { read getattr };
#============= mailman_mail_t ==============
allow mailman_mail_t postfix_local_t:udp_socket { read write };
I'd love to help get this integrated into the official SELinux policy
packages for Fedora (and CentOS/RHEL if possible). I am not certain
if the above policy can be tightened up or not. Any help there would
be very much appreciated.
¹ http://www.mail-archive.com/mailman-users%40python.org/msg51591.html
(The policy from the denials on CentOS 5 are in this thread.)
² http://www.gnu.org/software/mailman/mailman-install/node12.html and
http://www.gnu.org/software/mailman/mailman-install/node13.html
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Happiness is like peeing on yourself. Everyone can see it, but only
you can feel its warmth
Attachment:
pgpxqRqyZyG1m.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
