FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-12-2012, 04:24 PM
Geert Janssens
 
Default Selinux and mailman via postfix pipe

Hi,

I'm setting up a new server based on CentOS 6.2. It is meant to replace
a CentOS 5 server. The old server had selinux running in permissive
mode, but I figured it would be a good thing to enforce it on the new
server. This has revealed some selinux violations in my old
configurations. Most of them I managed to fix so far, with one exception:


Part of the setup involves a mailman based mailing list service. This is
configured using a postfix pipe into a python script called
postfix-to-mailman.py [1]. This is convenient, as it saves our admins
the hassle of managing the aliases required for each list. The problem
is though that this doesn't seem to work with selinux enabled.


Here are the relevant error messages:
In the maillog:
pipe[11266]: fatal: pipe_command: execvp
/usr/lib/mailman/bin/postfix-to-mailman.py: Permission denied


And the SELinux AVC:
type=AVC msg=audit(1334239608.305:371794): avc: denied { search } for
pid=10858 comm="python" name="mailman" dev=xvda ino=5833449
scontext=unconfined_u:system_rostfix_pipe_t:s

0 tcontext=system_ubject_r:mailman_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1334239608.305:371794): arch=c000003e syscall=80
success=no exit=-13 a0=12a8f00 a1=1 a2=34ae5b3dc8 a3=20 items=0
ppid=10857 pid=10858 auid=501 uid=41 gid=41
euid=41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41 tty=(none) ses=6491
comm="python" exe="/usr/bin/python"
subj=unconfined_u:system_rostfix_pipe_t:s0 key=(null)


SELinux is preventing /usr/bin/python from search access on the
directory /var/lib/mailman.


***** Plugin catchall (100. confidence) suggests
***************************


If you believe that python should be allowed search access on the
mailman directory by default.

Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

I am not sure how to proceed here. I already tried to change the
fcontext for postfix-to-mailman.py to mailman_mail_exec_t or
mailman_data_t, but that simply results in a denial that prevents
postfix' pipe to execute postfix-to-mailman.py.


I searched the web, but the closest I came is an old bugreport against
Fedora [2] suggesting this should have been fixed. Perhaps it is for
Fedora, but it's not for CentOS 6 at least.


What should I do to get this running ?

Geert


[1] http://www.gurulabs.com/downloads/postfix-to-mailman-2.1.py
[2] https://bugzilla.redhat.com/show_bug.cgi?id=183928
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-12-2012, 08:27 PM
Daniel J Walsh
 
Default Selinux and mailman via postfix pipe

On 04/12/2012 12:24 PM, Geert Janssens wrote:
> Hi,
>
> I'm setting up a new server based on CentOS 6.2. It is meant to replace a
> CentOS 5 server. The old server had selinux running in permissive mode, but
> I figured it would be a good thing to enforce it on the new server. This
> has revealed some selinux violations in my old configurations. Most of them
> I managed to fix so far, with one exception:
>
> Part of the setup involves a mailman based mailing list service. This is
> configured using a postfix pipe into a python script called
> postfix-to-mailman.py [1]. This is convenient, as it saves our admins the
> hassle of managing the aliases required for each list. The problem is
> though that this doesn't seem to work with selinux enabled.
>
> Here are the relevant error messages: In the maillog: pipe[11266]: fatal:
> pipe_command: execvp /usr/lib/mailman/bin/postfix-to-mailman.py: Permission
> denied
>
> And the SELinux AVC: type=AVC msg=audit(1334239608.305:371794): avc:
> denied { search } for pid=10858 comm="python" name="mailman" dev=xvda
> ino=5833449 scontext=unconfined_u:system_rostfix_pipe_t:s 0
> tcontext=system_ubject_r:mailman_data_t:s0 tclass=dir type=SYSCALL
> msg=audit(1334239608.305:371794): arch=c000003e syscall=80 success=no
> exit=-13 a0=12a8f00 a1=1 a2=34ae5b3dc8 a3=20 items=0 ppid=10857 pid=10858
> auid=501 uid=41 gid=41 euid=41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41
> tty=(none) ses=6491 comm="python" exe="/usr/bin/python"
> subj=unconfined_u:system_rostfix_pipe_t:s0 key=(null)
>
> SELinux is preventing /usr/bin/python from search access on the directory
> /var/lib/mailman.
>
> ***** Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that python should be allowed search access on the mailman
> directory by default. Then you should report this as a bug. You can
> generate a local policy module to allow this access. Do allow this access
> for now by executing: # grep python /var/log/audit/audit.log | audit2allow
> -M mypol # semodule -i mypol.pp
>
> I am not sure how to proceed here. I already tried to change the fcontext
> for postfix-to-mailman.py to mailman_mail_exec_t or mailman_data_t, but
> that simply results in a denial that prevents postfix' pipe to execute
> postfix-to-mailman.py.
>
> I searched the web, but the closest I came is an old bugreport against
> Fedora [2] suggesting this should have been fixed. Perhaps it is for
> Fedora, but it's not for CentOS 6 at least.
>
> What should I do to get this running ?
>
> Geert
>
>
> [1] http://www.gurulabs.com/downloads/postfix-to-mailman-2.1.py [2]
> https://bugzilla.redhat.com/show_bug.cgi?id=183928 -- selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

The AVC says it is not allowing postfix_pipe_t to searc /var/lib/mailman for
the binary.

Simplest thing would be to copy the script to /usr/bin, then postfix_pipe_t
would be allowed to get to the binary, or to allow postfix_pipe_t to search
though mailman_data_t using a policy module

cat mypostfix.te
policy_module(mypostfix, 1.0)
gen_require(`
type postfix_pipe_t, mailman_data_t;
')
allow postfix_pipe_t mailman_data_t:dir search_dir_perms;


# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypostfix.pp

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-13-2012, 04:45 PM
Geert Janssens
 
Default Selinux and mailman via postfix pipe

On 12-04-12 22:27, Daniel J Walsh wrote:

On 04/12/2012 12:24 PM, Geert Janssens wrote:

Hi,

I'm setting up a new server based on CentOS 6.2. It is meant to replace a
CentOS 5 server. The old server had selinux running in permissive mode, but
I figured it would be a good thing to enforce it on the new server. This
has revealed some selinux violations in my old configurations. Most of them
I managed to fix so far, with one exception:

Part of the setup involves a mailman based mailing list service. This is
configured using a postfix pipe into a python script called
postfix-to-mailman.py [1]. This is convenient, as it saves our admins the
hassle of managing the aliases required for each list. The problem is
though that this doesn't seem to work with selinux enabled.

Here are the relevant error messages: In the maillog: pipe[11266]: fatal:
pipe_command: execvp /usr/lib/mailman/bin/postfix-to-mailman.py: Permission
denied

And the SELinux AVC: type=AVC msg=audit(1334239608.305:371794): avc:
denied { search } for pid=10858 comm="python" name="mailman" dev=xvda
ino=5833449 scontext=unconfined_u:system_rostfix_pipe_t:s 0
tcontext=system_ubject_r:mailman_data_t:s0 tclass=dir type=SYSCALL
msg=audit(1334239608.305:371794): arch=c000003e syscall=80 success=no
exit=-13 a0=12a8f00 a1=1 a2=34ae5b3dc8 a3=20 items=0 ppid=10857 pid=10858
auid=501 uid=41 gid=41 euid=41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41
tty=(none) ses=6491 comm="python" exe="/usr/bin/python"
subj=unconfined_u:system_rostfix_pipe_t:s0 key=(null)

SELinux is preventing /usr/bin/python from search access on the directory
/var/lib/mailman.

***** Plugin catchall (100. confidence) suggests
***************************

If you believe that python should be allowed search access on the mailman
directory by default. Then you should report this as a bug. You can
generate a local policy module to allow this access. Do allow this access
for now by executing: # grep python /var/log/audit/audit.log | audit2allow
-M mypol # semodule -i mypol.pp

I am not sure how to proceed here. I already tried to change the fcontext
for postfix-to-mailman.py to mailman_mail_exec_t or mailman_data_t, but
that simply results in a denial that prevents postfix' pipe to execute
postfix-to-mailman.py.

I searched the web, but the closest I came is an old bugreport against
Fedora [2] suggesting this should have been fixed. Perhaps it is for
Fedora, but it's not for CentOS 6 at least.

What should I do to get this running ?

Geert


[1] http://www.gurulabs.com/downloads/postfix-to-mailman-2.1.py [2]
https://bugzilla.redhat.com/show_bug.cgi?id=183928 -- selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

The AVC says it is not allowing postfix_pipe_t to searc /var/lib/mailman for
the binary.

Thank you for your reply.

What you write here seems to be not exactly what happens, but close
enough for me to be able to fix it. For reference I'll mention what I
finally did:
- postfix-to-mailman.py is a wrapper script around the mailman binary.
So if the mailman binary itself can work, so should the
postfix-to-mailman.py wrapper if it is labeled the same. mailman is
labeled mailman_mail_exec_t so I used
chcon -v -t mailman_mail_exec_t postfix-to-mailman.py (in
/usr/lib/mailman/bin)


Surprisingly, this didn't work. I got another AVC telling me that
postfix_pipe_t doesn't have exec rights on mailman_mail_exec_t. This
surprised me because a plain mailman setup does work.


I'd love to understand why that is, but I didn't find it. The only
difference I see is that postfix-to-mailman.py is configured using
postfix' pipe daemon in master.cf, while a straight mailman setup uses
pipes in alias definitions, such as

ml_k2a: "|/usr/lib/mailman/mail/mailman post ml_k2a"
I don't know how these are treated differently by postfix and how that
affects selinux.


I worked around this by allowing postfix_pipe_t to transition to
mailman_mail_exec_t in a local policy, so postfix-to-mailman.py runs as
mailman_mail_exec_t. I don't know for sure if that is a good thing to
do, but it works -- almost.


This change does start running the wrapper script, but when the wrapper
eventually calls the mailman binary, I get another AVC:
type=AVC msg=audit(1334331914.790:385560): avc: denied { setsched }
for pid=24190 comm="python"
scontext=unconfined_u:system_r:mailman_mail_t:s0
tcontext=unconfined_u:system_r:m

ailman_mail_t:s0 tclass=process
type=SYSCALL msg=audit(1334331914.790:385560): arch=c000003e syscall=141
success=yes exit=0 a0=0 a1=0 a2=5 a3=7fff448f6e98 items=0 ppid=24161
pid=24190 auid=501 uid=41 gid=41 euid=
41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41 tty=(none) ses=6491
comm="python" exe="/usr/bin/python"
subj=unconfined_u:system_r:mailman_mail_t:s0 key=(null)


(Note that I temporarily switched to permissive mode, so the above AVC
was allowed)
Again, I couldn't figure out why this happens with
postfix-to-mailman.py, but not for the original mailman setup.
In this case I chose to run audit2allow to create a local policy to
allow this.


And that was that. I have the wrapper running now. If someone sees some
obvious problems with this, I'd be very willing to take good advice.
Selinux is pretty new to me.


Geert
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:12 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org