Selinux and mailman via postfix pipe

Geert Janssens geert at kobaltwit.be
Fri Apr 13 16:45:00 UTC 2012


On 12-04-12 22:27, Daniel J Walsh wrote:
> On 04/12/2012 12:24 PM, Geert Janssens wrote:
>> Hi,
>>
>> I'm setting up a new server based on CentOS 6.2. It is meant to replace a
>> CentOS 5 server. The old server had selinux running in permissive mode, but
>> I figured it would be a good thing to enforce it on the new server. This
>> has revealed some selinux violations in my old configurations. Most of them
>> I managed to fix so far, with one exception:
>>
>> Part of the setup involves a mailman based mailing list service. This is
>> configured using a postfix pipe into a python script called
>> postfix-to-mailman.py [1]. This is convenient, as it saves our admins the
>> hassle of managing the aliases required for each list. The problem is
>> though that this doesn't seem to work with selinux enabled.
>>
>> Here are the relevant error messages: In the maillog: pipe[11266]: fatal:
>> pipe_command: execvp /usr/lib/mailman/bin/postfix-to-mailman.py: Permission
>> denied
>>
>> And the SELinux AVC: type=AVC msg=audit(1334239608.305:371794): avc:
>> denied  { search } for pid=10858 comm="python" name="mailman" dev=xvda
>> ino=5833449 scontext=unconfined_u:system_r:postfix_pipe_t:s 0
>> tcontext=system_u:object_r:mailman_data_t:s0 tclass=dir type=SYSCALL
>> msg=audit(1334239608.305:371794): arch=c000003e syscall=80 success=no
>> exit=-13 a0=12a8f00 a1=1 a2=34ae5b3dc8 a3=20 items=0 ppid=10857 pid=10858
>> auid=501 uid=41 gid=41 euid=41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41
>> tty=(none) ses=6491 comm="python" exe="/usr/bin/python"
>> subj=unconfined_u:system_r:postfix_pipe_t:s0 key=(null)
>>
>> SELinux is preventing /usr/bin/python from search access on the directory
>> /var/lib/mailman.
>>
>> *****  Plugin catchall (100. confidence) suggests
>> ***************************
>>
>> If you believe that python should be allowed search access on the mailman
>> directory by default. Then you should report this as a bug. You can
>> generate a local policy module to allow this access. Do allow this access
>> for now by executing: # grep python /var/log/audit/audit.log | audit2allow
>> -M mypol # semodule -i mypol.pp
>>
>> I am not sure how to proceed here. I already tried to change the fcontext
>> for postfix-to-mailman.py to mailman_mail_exec_t or mailman_data_t, but
>> that simply results in a denial that prevents postfix' pipe to execute
>> postfix-to-mailman.py.
>>
>> I searched the web, but the closest I came is an old bugreport against
>> Fedora [2] suggesting this should have been fixed. Perhaps it is for
>> Fedora, but it's not for CentOS 6 at least.
>>
>> What should I do to get this running ?
>>
>> Geert
>>
>>
>> [1] http://www.gurulabs.com/downloads/postfix-to-mailman-2.1.py [2]
>> https://bugzilla.redhat.com/show_bug.cgi?id=183928 -- selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> The AVC says it is not allowing postfix_pipe_t to searc /var/lib/mailman for
> the binary.
Thank you for your reply.

What you write here seems to be not exactly what happens, but close 
enough for me to be able to fix it. For reference I'll mention what I 
finally did:
- postfix-to-mailman.py is a wrapper script around the mailman binary. 
So if the mailman binary itself can work, so should the 
postfix-to-mailman.py wrapper if it is labeled the same. mailman is 
labeled mailman_mail_exec_t so I used
chcon -v -t mailman_mail_exec_t postfix-to-mailman.py (in 
/usr/lib/mailman/bin)

Surprisingly, this didn't work. I got another AVC telling me that 
postfix_pipe_t doesn't have exec rights on mailman_mail_exec_t. This 
surprised me because a plain mailman setup does work.

I'd love to understand why that is, but I didn't find it. The only 
difference I see is that postfix-to-mailman.py is configured using 
postfix' pipe daemon in master.cf, while a straight mailman setup uses 
pipes in alias definitions, such as
ml_k2a:              "|/usr/lib/mailman/mail/mailman post ml_k2a"
I don't know how these are treated differently by postfix and how that 
affects selinux.

I worked around this by allowing postfix_pipe_t to transition to 
mailman_mail_exec_t in a local policy, so postfix-to-mailman.py runs as 
mailman_mail_exec_t. I don't know for sure if that is a good thing to 
do, but it works -- almost.

This change does start running the wrapper script, but when the wrapper 
eventually calls the mailman binary, I get another AVC:
type=AVC msg=audit(1334331914.790:385560): avc:  denied  { setsched } 
for  pid=24190 comm="python" 
scontext=unconfined_u:system_r:mailman_mail_t:s0 
tcontext=unconfined_u:system_r:m
ailman_mail_t:s0 tclass=process
type=SYSCALL msg=audit(1334331914.790:385560): arch=c000003e syscall=141 
success=yes exit=0 a0=0 a1=0 a2=5 a3=7fff448f6e98 items=0 ppid=24161 
pid=24190 auid=501 uid=41 gid=41 euid=
41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41 tty=(none) ses=6491 
comm="python" exe="/usr/bin/python" 
subj=unconfined_u:system_r:mailman_mail_t:s0 key=(null)

(Note that I temporarily switched to permissive mode, so the above AVC 
was allowed)
Again, I couldn't figure out why this happens with 
postfix-to-mailman.py, but not for the original mailman setup.
In this case I chose to run audit2allow to create a local policy to 
allow this.

And that was that. I have the wrapper running now. If someone sees some 
obvious problems with this, I'd be very willing to take good advice. 
Selinux is pretty new to me.

Geert


More information about the selinux mailing list