Two questions: Mailman and staff_u starting a process

Dominick Grift dominick.grift at gmail.com
Sat Aug 2 16:44:50 UTC 2014 

On Fri, 2014-08-01 at 10:29 -0500, Jeremy Young wrote:
> Hello everyone, and thank you in advance for any help or information
> that you can offer me.  
> 
> 
> I'm configuring a server to run Postfix and Mailman for our
> development team's test environment.  I've installed and configured
> Apache and Mailman, having no problems with either program.  In
> addition to DISA STIGS, I'm trying to implement some best practices
> and make better use of the security that SELinux can provide.  
> 
> 
> My first, and more general question, is can a process started by a
> user mapped to staff_u could potentially run into any undesirable
> AVCs?  
> 

Yes it can (i suppose it always can). The question though is not very
clear

however i assume you mean in a stock configuration.

> I've mapped all server administrators to the staff_u SELinux user:
> 
> 
> root at DOMAIN-mailman01 in /root >> semanage login -l | grep -i admins
> %DOMAIN-LinuxAdmins          staff_u                   s0-s0:c0.c1023
> 
> 
> These users are allowed to transition to unconfined_t via sudo:
> 
> 
> root at DOMAIN-mailman01 in /home/jyoung_sa >>
> cat /etc/sudoers.d/linuxadmins 
> %DOMAIN-LinuxAdmins ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t ALL
> 
> 
> Using "# service $NAME stop|start|restart" as a user in this group, if
> I perform an action on, let's say auditd, I notice that the service
> gets started with my user context and not as system_u as I would
> expect.  Am I correct in thinking that since the staff_u SELinux user
> has the same roles (unconfined_r and system_r) as the system_u user,
> that this is a non-issue, and the service should perform as normal?
> 
> 
> root at DOMAIN-mailman01 in /home/jyoung_sa >> ps auxZ | grep auditd$
> staff_u:system_r:auditd_t:s0    root      1830  0.0  0.0  31892
> 888 ?        S<sl 10:12   0:00 auditd
> 

In fedora/rhel is is indeed a non-issue but this is only a non issue
because fedora/rhel made it a non-issue

> 
> My second question is more specific to Mailman and Apache.  I've
> toggled many of the unnecessary SELinux booleans to off, and am able
> to view the Apache welcome page with the following being true:
> 
> 
> root at DOMAIN-mailman01 in /home/jyoung_sa >> rpm -qa | grep selinux
> libselinux-2.0.94-5.3.el6_4.1.x86_64
> libselinux-python-2.0.94-5.3.el6_4.1.x86_64
> libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
> selinux-policy-3.7.19-231.el6_5.1.noarch
> selinux-policy-targeted-3.7.19-231.el6_5.1.noarch
> root at DOMAIN-mailman01 in /home/jyoung_sa >> sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 24
> Policy from config file:        targeted
> root at DOMAIN-mailman01 in /home/jyoung_sa >> semanage boolean -l | grep
> "(on"
> allow_staff_exec_content       (on   ,   on)  allow_staff_exec_content
> unconfined_login               (on   ,   on)  Allow a user to login as
> an unconfined domain
> allow_postfix_local_write_mail_spool (on   ,   on)  Allow
> postfix_local domain full write access to mail_spool directories
> init_upstart                   (on   ,   on)  Enable support for
> upstart as the init program.
> allow_kerberos                 (on   ,   on)  Allow confined
> applications to run with kerberos.
> allow_domain_fd_use            (on   ,   on)  Allow all domains to use
> other domains file descriptors
> 
> 
> When attempting to visit the mailman webpage, however, I would get a
> 500 error from Apache, producing this AVC in the audit log:
> 
> 
> root at DOMAIN-mailman01 in /home/jyoung_sa >> ausearch -m avc -ts recent
> ----
> time->Fri Aug  1 10:03:50 2014
> node=DOMAIN-mailman01 type=PATH msg=audit(1406905430.337:1109): item=0
> name="/usr/lib/mailman/cgi-bin/listinfo" inode=268184 dev=fd:00
> mode=0102755 ouid=0 ogid=41 rdev=00:00 obj=system_u:object_r:lib_t:s0
> nametype=NORMAL
> node=DOMAIN-mailman01 type=CWD msg=audit(1406905430.337:1109):
>  cwd="/usr/lib/mailman/cgi-bin"
> node=DOMAIN-mailman01 type=SYSCALL msg=audit(1406905430.337:1109):
> arch=c000003e syscall=59 success=no exit=-13 a0=7f9d3732c920
> a1=7f9d3732dd98 a2=7f9d3732ddb0 a3=7fffbecc4860 items=1 ppid=1595
> pid=1777 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
> node=DOMAIN-mailman01 type=AVC msg=audit(1406905430.337:1109): avc:
>  denied  { execute_no_trans } for  pid=1777 comm="httpd"
> path="/usr/lib/mailman/cgi-bin/listinfo" dev=dm-0 ino=268184
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> 

/usr/lib/mailman/cgi-bin/listinfo is mislabeled it is labeled as a
libraries and libraries cannot be executed (libraries are mmapped
instead)

I think you may want to label the file type mailman_cgi_exec_t (should
probably label all executable files in /usr/lib/mailman/cgi-bin/ that
way

> 
> 
> audit2allow generates this module for me:
> module mailman 1.0;
> 
> 
> require {
> type var_log_t;
> type lib_t;
> type httpd_t;
> class file { read execute_no_trans };
> }
> 
> 
> #============= httpd_t ==============
> allow httpd_t lib_t:file execute_no_trans;
> allow httpd_t var_log_t:file read;
> 
> 
> 
> 
> I tried using "# chcon -t bin_t /usr/lib/mailman/cgi-bin/*" to test,
> and I got a different denial message:
> 
> 
> ----
> time->Fri Aug  1 10:27:23 2014
> node=ues-mailman01 type=PATH msg=audit(1406906843.430:2887): item=1
> name=(null) inode=2097286 dev=fd:02 mode=0100664 ouid=41 ogid=41
> rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL
> node=ues-mailman01 type=PATH msg=audit(1406906843.430:2887): item=0
> name="/var/log/mailman/" inode=2097282 dev=fd:02 mode=042775 ouid=0
> ogid=41 rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT
> node=ues-mailman01 type=CWD msg=audit(1406906843.430:2887):
>  cwd="/usr/lib/mailman/cgi-bin"
> node=ues-mailman01 type=SYSCALL msg=audit(1406906843.430:2887):
> arch=c000003e syscall=2 success=no exit=-13 a0=7204f0 a1=442 a2=1b6
> a3=0 items=2 ppid=1731 pid=1901 auid=4294967295 uid=48 gid=41 euid=48
> suid=48 fsuid=48 egid=41 sgid=41 fsgid=41 tty=(none) ses=4294967295
> comm="python" exe="/usr/bin/python" subj=system_u:system_r:httpd_t:s0
> key=(null)
> node=ues-mailman01 type=AVC msg=audit(1406906843.430:2887): avc:
>  denied  { read } for  pid=1901 comm="python" name="error" dev=dm-2
> ino=2097286 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> 
> Because this is a development environment and is not affecting
> production, I'm not terribly concerned with installing the module.  If
> I'm instructed to perform the same configuration to our production
> servers, though, the SELinux module would require Federal approval.  
> 
> 
> Can I have someone's opinion about this module?  Is this required, or
> could I change the context of the files stored
> in /usr/lib/mailman/cgi-bin to something that Apache is allowed to
> use?  Have I turned off too many booleans that could have prevented
> this?
> 
> 
> Thank you!
> 
> 
> -- 
> Jeremy Young, M.S., RHCSA
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list