On 12-04-12 22:27, Daniel J Walsh wrote:
On 04/12/2012 12:24 PM, Geert Janssens wrote:
Hi,
I'm setting up a new server based on CentOS 6.2. It is meant to replace a
CentOS 5 server. The old server had selinux running in permissive mode, but
I figured it would be a good thing to enforce it on the new server. This
has revealed some selinux violations in my old configurations. Most of them
I managed to fix so far, with one exception:
Part of the setup involves a mailman based mailing list service. This is
configured using a postfix pipe into a python script called
postfix-to-mailman.py [1]. This is convenient, as it saves our admins the
hassle of managing the aliases required for each list. The problem is
though that this doesn't seem to work with selinux enabled.
Here are the relevant error messages: In the maillog: pipe[11266]: fatal:
pipe_command: execvp /usr/lib/mailman/bin/postfix-to-mailman.py: Permission
denied
And the SELinux AVC: type=AVC msg=audit(1334239608.305:371794): avc:
denied { search } for pid=10858 comm="python" name="mailman" dev=xvda
ino=5833449 scontext=unconfined_u:system_r:postfix_pipe_t:s 0
tcontext=system_u:object_r:mailman_data_t:s0 tclass=dir type=SYSCALL
msg=audit(1334239608.305:371794): arch=c000003e syscall=80 success=no
exit=-13 a0=12a8f00 a1=1 a2=34ae5b3dc8 a3=20 items=0 ppid=10857 pid=10858
auid=501 uid=41 gid=41 euid=41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41
tty=(none) ses=6491 comm="python" exe="/usr/bin/python"
subj=unconfined_u:system_r:postfix_pipe_t:s0 key=(null)
SELinux is preventing /usr/bin/python from search access on the directory
/var/lib/mailman.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that python should be allowed search access on the mailman
directory by default. Then you should report this as a bug. You can
generate a local policy module to allow this access. Do allow this access
for now by executing: # grep python /var/log/audit/audit.log | audit2allow
-M mypol # semodule -i mypol.pp
I am not sure how to proceed here. I already tried to change the fcontext
for postfix-to-mailman.py to mailman_mail_exec_t or mailman_data_t, but
that simply results in a denial that prevents postfix' pipe to execute
postfix-to-mailman.py.
I searched the web, but the closest I came is an old bugreport against
Fedora [2] suggesting this should have been fixed. Perhaps it is for
Fedora, but it's not for CentOS 6 at least.
What should I do to get this running ?
Geert
[1] http://www.gurulabs.com/downloads/postfix-to-mailman-2.1.py [2]
https://bugzilla.redhat.com/show_bug.cgi?id=183928 -- selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
The AVC says it is not allowing postfix_pipe_t to searc /var/lib/mailman for
the binary.
Thank you for your reply.
What you write here seems to be not exactly what happens, but close
enough for me to be able to fix it. For reference I'll mention what I
finally did:
- postfix-to-mailman.py is a wrapper script around the mailman binary.
So if the mailman binary itself can work, so should the
postfix-to-mailman.py wrapper if it is labeled the same. mailman is
labeled mailman_mail_exec_t so I used
chcon -v -t mailman_mail_exec_t postfix-to-mailman.py (in
/usr/lib/mailman/bin)
Surprisingly, this didn't work. I got another AVC telling me that
postfix_pipe_t doesn't have exec rights on mailman_mail_exec_t. This
surprised me because a plain mailman setup does work.
I'd love to understand why that is, but I didn't find it. The only
difference I see is that postfix-to-mailman.py is configured using
postfix' pipe daemon in master.cf, while a straight mailman setup uses
pipes in alias definitions, such as
ml_k2a: "|/usr/lib/mailman/mail/mailman post ml_k2a"
I don't know how these are treated differently by postfix and how that
affects selinux.
I worked around this by allowing postfix_pipe_t to transition to
mailman_mail_exec_t in a local policy, so postfix-to-mailman.py runs as
mailman_mail_exec_t. I don't know for sure if that is a good thing to
do, but it works -- almost.
This change does start running the wrapper script, but when the wrapper
eventually calls the mailman binary, I get another AVC:
type=AVC msg=audit(1334331914.790:385560): avc: denied { setsched }
for pid=24190 comm="python"
scontext=unconfined_u:system_r:mailman_mail_t:s0
tcontext=unconfined_u:system_r:m
ailman_mail_t:s0 tclass=process
type=SYSCALL msg=audit(1334331914.790:385560): arch=c000003e syscall=141
success=yes exit=0 a0=0 a1=0 a2=5 a3=7fff448f6e98 items=0 ppid=24161
pid=24190 auid=501 uid=41 gid=41 euid=
41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41 tty=(none) ses=6491
comm="python" exe="/usr/bin/python"
subj=unconfined_u:system_r:mailman_mail_t:s0 key=(null)
(Note that I temporarily switched to permissive mode, so the above AVC
was allowed)
Again, I couldn't figure out why this happens with
postfix-to-mailman.py, but not for the original mailman setup.
In this case I chose to run audit2allow to create a local policy to
allow this.
And that was that. I have the wrapper running now. If someone sees some
obvious problems with this, I'd be very willing to take good advice.
Selinux is pretty new to me.
Geert
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
