On 04/12/2012 12:24 PM, Geert Janssens wrote:
Hi,
I'm setting up a new server based on CentOS 6.2. It is meant to replace a
CentOS 5 server. The old server had selinux running in permissive mode, but
I figured it would be a good thing to enforce it on the new server. This
has revealed some selinux violations in my old configurations. Most of them
I managed to fix so far, with one exception:
Part of the setup involves a mailman based mailing list service. This is
configured using a postfix pipe into a python script called
postfix-to-mailman.py [1]. This is convenient, as it saves our admins the
hassle of managing the aliases required for each list. The problem is
though that this doesn't seem to work with selinux enabled.
Here are the relevant error messages: In the maillog: pipe[11266]: fatal:
pipe_command: execvp /usr/lib/mailman/bin/postfix-to-mailman.py: Permission
denied
And the SELinux AVC: type=AVC msg=audit(1334239608.305:371794): avc:
denied { search } for pid=10858 comm="python" name="mailman"
dev=xvda
ino=5833449 scontext=unconfined_u:system_r:postfix_pipe_t:s 0
tcontext=system_u:object_r:mailman_data_t:s0 tclass=dir type=SYSCALL
msg=audit(1334239608.305:371794): arch=c000003e syscall=80 success=no
exit=-13 a0=12a8f00 a1=1 a2=34ae5b3dc8 a3=20 items=0 ppid=10857 pid=10858
auid=501 uid=41 gid=41 euid=41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41
tty=(none) ses=6491 comm="python" exe="/usr/bin/python"
subj=unconfined_u:system_r:postfix_pipe_t:s0 key=(null)
SELinux is preventing /usr/bin/python from search access on the directory
/var/lib/mailman.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that python should be allowed search access on the mailman
directory by default. Then you should report this as a bug. You can
generate a local policy module to allow this access. Do allow this access
for now by executing: # grep python /var/log/audit/audit.log | audit2allow
-M mypol # semodule -i mypol.pp
I am not sure how to proceed here. I already tried to change the fcontext
for postfix-to-mailman.py to mailman_mail_exec_t or mailman_data_t, but
that simply results in a denial that prevents postfix' pipe to execute
postfix-to-mailman.py.
I searched the web, but the closest I came is an old bugreport against
Fedora [2] suggesting this should have been fixed. Perhaps it is for
Fedora, but it's not for CentOS 6 at least.
What should I do to get this running ?
Geert
[1]
http://www.gurulabs.com/downloads/postfix-to-mailman-2.1.py [2]
https://bugzilla.redhat.com/show_bug.cgi?id=183928 -- selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
The AVC says it is not allowing postfix_pipe_t to searc /var/lib/mailman for
the binary.
Simplest thing would be to copy the script to /usr/bin, then postfix_pipe_t
would be allowed to get to the binary, or to allow postfix_pipe_t to search
though mailman_data_t using a policy module
cat mypostfix.te
policy_module(mypostfix, 1.0)
gen_require(`
type postfix_pipe_t, mailman_data_t;
')
allow postfix_pipe_t mailman_data_t:dir search_dir_perms;
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypostfix.pp