On 04/12/2012 12:24 PM, Geert Janssens wrote:
> Hi,
>
> I'm setting up a new server based on CentOS 6.2. It is meant to replace a
> CentOS 5 server. The old server had selinux running in permissive mode, but
> I figured it would be a good thing to enforce it on the new server. This
> has revealed some selinux violations in my old configurations. Most of them
> I managed to fix so far, with one exception:
>
> Part of the setup involves a mailman based mailing list service. This is
> configured using a postfix pipe into a python script called
> postfix-to-mailman.py [1]. This is convenient, as it saves our admins the
> hassle of managing the aliases required for each list. The problem is
> though that this doesn't seem to work with selinux enabled.
>
> Here are the relevant error messages: In the maillog: pipe[11266]: fatal:
> pipe_command: execvp /usr/lib/mailman/bin/postfix-to-mailman.py: Permission
> denied
>
> And the SELinux AVC: type=AVC msg=audit(1334239608.305:371794): avc:
> denied { search } for pid=10858 comm="python" name="mailman" dev=xvda
> ino=5833449 scontext=unconfined_u:system_r:postfix_pipe_t:s 0
> tcontext=system_u:object_r:mailman_data_t:s0 tclass=dir type=SYSCALL
> msg=audit(1334239608.305:371794): arch=c000003e syscall=80 success=no
> exit=-13 a0=12a8f00 a1=1 a2=34ae5b3dc8 a3=20 items=0 ppid=10857 pid=10858
> auid=501 uid=41 gid=41 euid=41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41
> tty=(none) ses=6491 comm="python" exe="/usr/bin/python"
> subj=unconfined_u:system_r:postfix_pipe_t:s0 key=(null)
>
> SELinux is preventing /usr/bin/python from search access on the directory
> /var/lib/mailman.
>
> ***** Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that python should be allowed search access on the mailman
> directory by default. Then you should report this as a bug. You can
> generate a local policy module to allow this access. Do allow this access
> for now by executing: # grep python /var/log/audit/audit.log | audit2allow
> -M mypol # semodule -i mypol.pp
>
> I am not sure how to proceed here. I already tried to change the fcontext
> for postfix-to-mailman.py to mailman_mail_exec_t or mailman_data_t, but
> that simply results in a denial that prevents postfix' pipe to execute
> postfix-to-mailman.py.
>
> I searched the web, but the closest I came is an old bugreport against
> Fedora [2] suggesting this should have been fixed. Perhaps it is for
> Fedora, but it's not for CentOS 6 at least.
>
> What should I do to get this running ?
>
> Geert
>
>
> [1] http://www.gurulabs.com/downloads/postfix-to-mailman-2.1.py [2]
> https://bugzilla.redhat.com/show_bug.cgi?id=183928 -- selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
The AVC says it is not allowing postfix_pipe_t to searc /var/lib/mailman for
the binary.
Simplest thing would be to copy the script to /usr/bin, then postfix_pipe_t
would be allowed to get to the binary, or to allow postfix_pipe_t to search
though mailman_data_t using a policy module
cat mypostfix.te
policy_module(mypostfix, 1.0)
gen_require(`
type postfix_pipe_t, mailman_data_t;
')
allow postfix_pipe_t mailman_data_t:dir search_dir_perms;
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypostfix.pp
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
