Two questions: Mailman and staff_u starting a process

Jeremy Young jrm16020 at gmail.com
Mon Aug 4 13:52:15 UTC 2014 

Hi Dominick,

Thank you for the quick answer!  I noticed that too about the files in
/usr/lib/mailman/cgi-bin being apparently mislabeled, but I don't have that
label available to me.

jyoung_sa at DOMAIN-mailman01 in /home/jyoung_sa >> seinfo -t | grep mailman |
wc -l
0
jyoung_sa at DOMAIN-mailman01 in /home/jyoung_sa >> sudo yum list installed |
grep selinux
This system is not registered to Red Hat Subscription Management. You can
use subscription-manager to register.
libselinux.x86_64              2.0.94-5.3.el6_4.1
@anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5
libselinux-python.x86_64       2.0.94-5.3.el6_4.1
@/libselinux-python-2.0.94-5.3.el6_4.1.x86_64
libselinux-utils.x86_64        2.0.94-5.3.el6_4.1
@anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5
selinux-policy.noarch          3.7.19-231.el6_5.3   @rhel-6-server-rpms

selinux-policy-targeted.noarch 3.7.19-231.el6_5.3   @rhel-6-server-rpms


For what it's worth, mailman seems to work fine with these labels in place
and using the module that I generated.  That is, at least until the file
context of all of the config.pck files in /var/lib/mailman/lists/ues-all
gets changed when one of the crons installed by mailman changes the context
of those files to cron_var_lib_t.

Thank you again!


On Sat, Aug 2, 2014 at 11:44 AM, Dominick Grift <dominick.grift at gmail.com>
wrote:

> On Fri, 2014-08-01 at 10:29 -0500, Jeremy Young wrote:
> > Hello everyone, and thank you in advance for any help or information
> > that you can offer me.
> >
> >
> > I'm configuring a server to run Postfix and Mailman for our
> > development team's test environment.  I've installed and configured
> > Apache and Mailman, having no problems with either program.  In
> > addition to DISA STIGS, I'm trying to implement some best practices
> > and make better use of the security that SELinux can provide.
> >
> >
> > My first, and more general question, is can a process started by a
> > user mapped to staff_u could potentially run into any undesirable
> > AVCs?
> >
>
> Yes it can (i suppose it always can). The question though is not very
> clear
>
> however i assume you mean in a stock configuration.
>
> > I've mapped all server administrators to the staff_u SELinux user:
> >
> >
> > root at DOMAIN-mailman01 in /root >> semanage login -l | grep -i admins
> > %DOMAIN-LinuxAdmins          staff_u                   s0-s0:c0.c1023
> >
> >
> > These users are allowed to transition to unconfined_t via sudo:
> >
> >
> > root at DOMAIN-mailman01 in /home/jyoung_sa >>
> > cat /etc/sudoers.d/linuxadmins
> > %DOMAIN-LinuxAdmins ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t ALL
> >
> >
> > Using "# service $NAME stop|start|restart" as a user in this group, if
> > I perform an action on, let's say auditd, I notice that the service
> > gets started with my user context and not as system_u as I would
> > expect.  Am I correct in thinking that since the staff_u SELinux user
> > has the same roles (unconfined_r and system_r) as the system_u user,
> > that this is a non-issue, and the service should perform as normal?
> >
> >
> > root at DOMAIN-mailman01 in /home/jyoung_sa >> ps auxZ | grep auditd$
> > staff_u:system_r:auditd_t:s0    root      1830  0.0  0.0  31892
> > 888 ?        S<sl 10:12   0:00 auditd
> >
>
> In fedora/rhel is is indeed a non-issue but this is only a non issue
> because fedora/rhel made it a non-issue
>
> >
> > My second question is more specific to Mailman and Apache.  I've
> > toggled many of the unnecessary SELinux booleans to off, and am able
> > to view the Apache welcome page with the following being true:
> >
> >
> > root at DOMAIN-mailman01 in /home/jyoung_sa >> rpm -qa | grep selinux
> > libselinux-2.0.94-5.3.el6_4.1.x86_64
> > libselinux-python-2.0.94-5.3.el6_4.1.x86_64
> > libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
> > selinux-policy-3.7.19-231.el6_5.1.noarch
> > selinux-policy-targeted-3.7.19-231.el6_5.1.noarch
> > root at DOMAIN-mailman01 in /home/jyoung_sa >> sestatus
> > SELinux status:                 enabled
> > SELinuxfs mount:                /selinux
> > Current mode:                   enforcing
> > Mode from config file:          enforcing
> > Policy version:                 24
> > Policy from config file:        targeted
> > root at DOMAIN-mailman01 in /home/jyoung_sa >> semanage boolean -l | grep
> > "(on"
> > allow_staff_exec_content       (on   ,   on)  allow_staff_exec_content
> > unconfined_login               (on   ,   on)  Allow a user to login as
> > an unconfined domain
> > allow_postfix_local_write_mail_spool (on   ,   on)  Allow
> > postfix_local domain full write access to mail_spool directories
> > init_upstart                   (on   ,   on)  Enable support for
> > upstart as the init program.
> > allow_kerberos                 (on   ,   on)  Allow confined
> > applications to run with kerberos.
> > allow_domain_fd_use            (on   ,   on)  Allow all domains to use
> > other domains file descriptors
> >
> >
> > When attempting to visit the mailman webpage, however, I would get a
> > 500 error from Apache, producing this AVC in the audit log:
> >
> >
> > root at DOMAIN-mailman01 in /home/jyoung_sa >> ausearch -m avc -ts recent
> > ----
> > time->Fri Aug  1 10:03:50 2014
> > node=DOMAIN-mailman01 type=PATH msg=audit(1406905430.337:1109): item=0
> > name="/usr/lib/mailman/cgi-bin/listinfo" inode=268184 dev=fd:00
> > mode=0102755 ouid=0 ogid=41 rdev=00:00 obj=system_u:object_r:lib_t:s0
> > nametype=NORMAL
> > node=DOMAIN-mailman01 type=CWD msg=audit(1406905430.337:1109):
> >  cwd="/usr/lib/mailman/cgi-bin"
> > node=DOMAIN-mailman01 type=SYSCALL msg=audit(1406905430.337:1109):
> > arch=c000003e syscall=59 success=no exit=-13 a0=7f9d3732c920
> > a1=7f9d3732dd98 a2=7f9d3732ddb0 a3=7fffbecc4860 items=1 ppid=1595
> > pid=1777 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> > egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
> > exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
> > node=DOMAIN-mailman01 type=AVC msg=audit(1406905430.337:1109): avc:
> >  denied  { execute_no_trans } for  pid=1777 comm="httpd"
> > path="/usr/lib/mailman/cgi-bin/listinfo" dev=dm-0 ino=268184
> > scontext=system_u:system_r:httpd_t:s0
> > tcontext=system_u:object_r:lib_t:s0 tclass=file
> >
>
> /usr/lib/mailman/cgi-bin/listinfo is mislabeled it is labeled as a
> libraries and libraries cannot be executed (libraries are mmapped
> instead)
>
> I think you may want to label the file type mailman_cgi_exec_t (should
> probably label all executable files in /usr/lib/mailman/cgi-bin/ that
> way
>
> >
> >
> > audit2allow generates this module for me:
> > module mailman 1.0;
> >
> >
> > require {
> > type var_log_t;
> > type lib_t;
> > type httpd_t;
> > class file { read execute_no_trans };
> > }
> >
> >
> > #============= httpd_t ==============
> > allow httpd_t lib_t:file execute_no_trans;
> > allow httpd_t var_log_t:file read;
> >
> >
> >
> >
> > I tried using "# chcon -t bin_t /usr/lib/mailman/cgi-bin/*" to test,
> > and I got a different denial message:
> >
> >
> > ----
> > time->Fri Aug  1 10:27:23 2014
> > node=ues-mailman01 type=PATH msg=audit(1406906843.430:2887): item=1
> > name=(null) inode=2097286 dev=fd:02 mode=0100664 ouid=41 ogid=41
> > rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL
> > node=ues-mailman01 type=PATH msg=audit(1406906843.430:2887): item=0
> > name="/var/log/mailman/" inode=2097282 dev=fd:02 mode=042775 ouid=0
> > ogid=41 rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT
> > node=ues-mailman01 type=CWD msg=audit(1406906843.430:2887):
> >  cwd="/usr/lib/mailman/cgi-bin"
> > node=ues-mailman01 type=SYSCALL msg=audit(1406906843.430:2887):
> > arch=c000003e syscall=2 success=no exit=-13 a0=7204f0 a1=442 a2=1b6
> > a3=0 items=2 ppid=1731 pid=1901 auid=4294967295 uid=48 gid=41 euid=48
> > suid=48 fsuid=48 egid=41 sgid=41 fsgid=41 tty=(none) ses=4294967295
> > comm="python" exe="/usr/bin/python" subj=system_u:system_r:httpd_t:s0
> > key=(null)
> > node=ues-mailman01 type=AVC msg=audit(1406906843.430:2887): avc:
> >  denied  { read } for  pid=1901 comm="python" name="error" dev=dm-2
> > ino=2097286 scontext=system_u:system_r:httpd_t:s0
> > tcontext=system_u:object_r:var_log_t:s0 tclass=file
> >
> >
> > Because this is a development environment and is not affecting
> > production, I'm not terribly concerned with installing the module.  If
> > I'm instructed to perform the same configuration to our production
> > servers, though, the SELinux module would require Federal approval.
> >
> >
> > Can I have someone's opinion about this module?  Is this required, or
> > could I change the context of the files stored
> > in /usr/lib/mailman/cgi-bin to something that Apache is allowed to
> > use?  Have I turned off too many booleans that could have prevented
> > this?
> >
> >
> > Thank you!
> >
> >
> > --
> > Jeremy Young, M.S., RHCSA
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>


-- 
Jeremy Young <jrm16020 at gmail.com>, M.S., RHCSA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140804/224486e4/attachment.html>

More information about the selinux mailing list