[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Selinux and mailman via postfix pipe

On 12-04-12 22:27, Daniel J Walsh wrote:
On 04/12/2012 12:24 PM, Geert Janssens wrote:

I'm setting up a new server based on CentOS 6.2. It is meant to replace a
CentOS 5 server. The old server had selinux running in permissive mode, but
I figured it would be a good thing to enforce it on the new server. This
has revealed some selinux violations in my old configurations. Most of them
I managed to fix so far, with one exception:

Part of the setup involves a mailman based mailing list service. This is
configured using a postfix pipe into a python script called
postfix-to-mailman.py [1]. This is convenient, as it saves our admins the
hassle of managing the aliases required for each list. The problem is
though that this doesn't seem to work with selinux enabled.

Here are the relevant error messages: In the maillog: pipe[11266]: fatal:
pipe_command: execvp /usr/lib/mailman/bin/postfix-to-mailman.py: Permission

And the SELinux AVC: type=AVC msg=audit(1334239608.305:371794): avc:
denied  { search } for pid=10858 comm="python" name="mailman" dev=xvda
ino=5833449 scontext=unconfined_u:system_r:postfix_pipe_t:s 0
tcontext=system_u:object_r:mailman_data_t:s0 tclass=dir type=SYSCALL
msg=audit(1334239608.305:371794): arch=c000003e syscall=80 success=no
exit=-13 a0=12a8f00 a1=1 a2=34ae5b3dc8 a3=20 items=0 ppid=10857 pid=10858
auid=501 uid=41 gid=41 euid=41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41
tty=(none) ses=6491 comm="python" exe="/usr/bin/python"
subj=unconfined_u:system_r:postfix_pipe_t:s0 key=(null)

SELinux is preventing /usr/bin/python from search access on the directory

*****  Plugin catchall (100. confidence) suggests

If you believe that python should be allowed search access on the mailman
directory by default. Then you should report this as a bug. You can
generate a local policy module to allow this access. Do allow this access
for now by executing: # grep python /var/log/audit/audit.log | audit2allow
-M mypol # semodule -i mypol.pp

I am not sure how to proceed here. I already tried to change the fcontext
for postfix-to-mailman.py to mailman_mail_exec_t or mailman_data_t, but
that simply results in a denial that prevents postfix' pipe to execute

I searched the web, but the closest I came is an old bugreport against
Fedora [2] suggesting this should have been fixed. Perhaps it is for
Fedora, but it's not for CentOS 6 at least.

What should I do to get this running ?


[1] http://www.gurulabs.com/downloads/postfix-to-mailman-2.1.py [2]
https://bugzilla.redhat.com/show_bug.cgi?id=183928 -- selinux mailing list
The AVC says it is not allowing postfix_pipe_t to searc /var/lib/mailman for
the binary.
Thank you for your reply.

What you write here seems to be not exactly what happens, but close enough for me to be able to fix it. For reference I'll mention what I finally did: - postfix-to-mailman.py is a wrapper script around the mailman binary. So if the mailman binary itself can work, so should the postfix-to-mailman.py wrapper if it is labeled the same. mailman is labeled mailman_mail_exec_t so I used chcon -v -t mailman_mail_exec_t postfix-to-mailman.py (in /usr/lib/mailman/bin)

Surprisingly, this didn't work. I got another AVC telling me that postfix_pipe_t doesn't have exec rights on mailman_mail_exec_t. This surprised me because a plain mailman setup does work.

I'd love to understand why that is, but I didn't find it. The only difference I see is that postfix-to-mailman.py is configured using postfix' pipe daemon in master.cf, while a straight mailman setup uses pipes in alias definitions, such as
ml_k2a:              "|/usr/lib/mailman/mail/mailman post ml_k2a"
I don't know how these are treated differently by postfix and how that affects selinux.

I worked around this by allowing postfix_pipe_t to transition to mailman_mail_exec_t in a local policy, so postfix-to-mailman.py runs as mailman_mail_exec_t. I don't know for sure if that is a good thing to do, but it works -- almost.

This change does start running the wrapper script, but when the wrapper eventually calls the mailman binary, I get another AVC: type=AVC msg=audit(1334331914.790:385560): avc: denied { setsched } for pid=24190 comm="python" scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=unconfined_u:system_r:m
ailman_mail_t:s0 tclass=process
type=SYSCALL msg=audit(1334331914.790:385560): arch=c000003e syscall=141 success=yes exit=0 a0=0 a1=0 a2=5 a3=7fff448f6e98 items=0 ppid=24161 pid=24190 auid=501 uid=41 gid=41 euid= 41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41 tty=(none) ses=6491 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:mailman_mail_t:s0 key=(null)

(Note that I temporarily switched to permissive mode, so the above AVC was allowed) Again, I couldn't figure out why this happens with postfix-to-mailman.py, but not for the original mailman setup. In this case I chose to run audit2allow to create a local policy to allow this.

And that was that. I have the wrapper running now. If someone sees some obvious problems with this, I'd be very willing to take good advice. Selinux is pretty new to me.

selinux mailing list

[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux

  Web www.spinics.net