Selinux and mailman via postfix pipe

Geert Janssens geert at kobaltwit.be
Thu Apr 12 16:24:34 UTC 2012 

Hi,

I'm setting up a new server based on CentOS 6.2. It is meant to replace 
a CentOS 5 server. The old server had selinux running in permissive 
mode, but I figured it would be a good thing to enforce it on the new 
server. This has revealed some selinux violations in my old 
configurations. Most of them I managed to fix so far, with one exception:

Part of the setup involves a mailman based mailing list service. This is 
configured using a postfix pipe into a python script called 
postfix-to-mailman.py [1]. This is convenient, as it saves our admins 
the hassle of managing the aliases required for each list. The problem 
is though that this doesn't seem to work with selinux enabled.

Here are the relevant error messages:
In the maillog:
pipe[11266]: fatal: pipe_command: execvp 
/usr/lib/mailman/bin/postfix-to-mailman.py: Permission denied

And the SELinux AVC:
type=AVC msg=audit(1334239608.305:371794): avc:  denied  { search } for  
pid=10858 comm="python" name="mailman" dev=xvda ino=5833449 
scontext=unconfined_u:system_r:postfix_pipe_t:s
0 tcontext=system_u:object_r:mailman_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1334239608.305:371794): arch=c000003e syscall=80 
success=no exit=-13 a0=12a8f00 a1=1 a2=34ae5b3dc8 a3=20 items=0 
ppid=10857 pid=10858 auid=501 uid=41 gid=41
euid=41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41 tty=(none) ses=6491 
comm="python" exe="/usr/bin/python" 
subj=unconfined_u:system_r:postfix_pipe_t:s0 key=(null)

SELinux is preventing /usr/bin/python from search access on the 
directory /var/lib/mailman.

*****  Plugin catchall (100. confidence) suggests  
***************************

If you believe that python should be allowed search access on the 
mailman directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

I am not sure how to proceed here. I already tried to change the 
fcontext for postfix-to-mailman.py to mailman_mail_exec_t or 
mailman_data_t, but that simply results in a denial that prevents 
postfix' pipe to execute postfix-to-mailman.py.

I searched the web, but the closest I came is an old bugreport against 
Fedora [2] suggesting this should have been fixed. Perhaps it is for 
Fedora, but it's not for CentOS 6 at least.

What should I do to get this running ?

Geert


[1] http://www.gurulabs.com/downloads/postfix-to-mailman-2.1.py
[2] https://bugzilla.redhat.com/show_bug.cgi?id=183928

More information about the selinux mailing list