FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-28-2008, 11:25 AM
"Fabrizio Buratta"
 
Default Postfix pipe command and python scripts

Hi everybody.

This problem with selinux is exhausting my little head:

I wrote a python script in order to provide out of office mail system to my postfix mailserver on Centos5. This script use sqlite module to connect to a db file and store some information about email replies, users etc.* I invoke my script from /etc/postfix/master.cf :


autoreply****** unix*** -****** n****** n****** -****** -****** pipe
* flags= user=vacation argv=/etc/config_files/postfix/autoresponder/vacation.py --deliver ${sender} -- ${recipient}

whose permissions are: (ls -Z /etc/config_files/postfix/autoresponder/)


-rwxrwxrwx* vacation vacation system_ubject_r:etc_t********* database.db
-rwxrwxrwx* vacation vacation system_ubject_rostfix_pipe_exec_t vacation.py

The latter context was set by me to allow /urs/libexec/postfix/pipe to be able to execute my script (i wouldn't use this kind of dirty "tricks"). If i leave with its canonical context , postfix will

complain saying it has not permission to execute vacation.py.

Assuming this configuration right,* my script is able to connect and retrieve information by the database (select statement ) but cannot write on it (database.db) . Take a look at audit log:


type=SYSCALL msg=audit(1211975254.056:1341): arch=c000003e syscall=2 success=no exit=-13 a0=27f4ec0 a1=42 a2=1a4 a3=1 items=0 ppid=7203 pi
d=7212 auid=0 uid=514 gid=514 euid=514 suid=514 fsuid=514 egid=514 sgid=514 fsgid=514 tty=(none) comm="python" exe="/usr/bin/python" subj=

root:system_rostfix_pipe_t:s0 key=(null)
type=AVC msg=audit(1211975254.060:1342): avc:* denied* { write } for* pid=7206 comm="python" name="localUsers.db" dev=dm-0 ino=262646 scon
text=root:system_rostfix_pipe_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file


I Guess python sqlite function cannot create journaling files which is required by sqlite to modify a database (i've also tried to add a PRAGMA statement fo change the temporary directory and python complains that it is not writable .....even /tmp dir) . Actually if i disable selinux everyhing works, but i don't want to do it at all.


I have no ideas anymore to solve it out. If i create a new policy package form my audit.log using :

*audit2allow -i /var/log/audit/audit.log -m vacation > vacation.te etc....

and loading it with semodule the issue doesn't run away.


Any help will be* really appreciated

Fabrizio






*

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-28-2008, 06:56 PM
Daniel J Walsh
 
Default Postfix pipe command and python scripts

Fabrizio Buratta wrote:
> Hi everybody.
>
> This problem with selinux is exhausting my little head:
>
> I wrote a python script in order to provide out of office mail system to my
> postfix mailserver on Centos5. This script use sqlite module to connect to a
> db file and store some information about email replies, users etc. I invoke
> my script from /etc/postfix/master.cf :
>
> autoreply unix - n n - - pipe
> flags= user=vacation
> argv=/etc/config_files/postfix/autoresponder/vacation.py --deliver ${sender}
> -- ${recipient}
>
> whose permissions are: (ls -Z /etc/config_files/postfix/autoresponder/)
>
> -rwxrwxrwx vacation vacation system_ubject_r:etc_t database.db
> -rwxrwxrwx vacation vacation system_ubject_rostfix_pipe_exec_t
> vacation.py
>
> The latter context was set by me to allow /urs/libexec/postfix/pipe to be
> able to execute my script (i wouldn't use this kind of dirty "tricks"). If i
> leave with its canonical context , postfix will
> complain saying it has not permission to execute vacation.py.
>
> Assuming this configuration right, my script is able to connect and
> retrieve information by the database (select statement ) but cannot write on
> it (database.db) . Take a look at audit log:
>
> type=SYSCALL msg=audit(1211975254.056:1341): arch=c000003e syscall=2
> success=no exit=-13 a0=27f4ec0 a1=42 a2=1a4 a3=1 items=0 ppid=7203 pi
> d=7212 auid=0 uid=514 gid=514 euid=514 suid=514 fsuid=514 egid=514 sgid=514
> fsgid=514 tty=(none) comm="python" exe="/usr/bin/python" subj=
> root:system_rostfix_pipe_t:s0 key=(null)
> type=AVC msg=audit(1211975254.060:1342): avc: denied { write } for
> pid=7206 comm="python" name="localUsers.db" dev=dm-0 ino=262646 scon
> text=root:system_rostfix_pipe_t:s0 tcontext=system_ubject_r:etc_t:s0
> tclass=file
>
> I Guess python sqlite function cannot create journaling files which is
> required by sqlite to modify a database (i've also tried to add a PRAGMA
> statement fo change the temporary directory and python complains that it is
> not writable .....even /tmp dir) . Actually if i disable selinux everyhing
> works, but i don't want to do it at all.
>
> I have no ideas anymore to solve it out. If i create a new policy package
> form my audit.log using :
>
> audit2allow -i /var/log/audit/audit.log -m vacation > vacation.te etc....
>
> and loading it with semodule the issue doesn't run away.
>
> Any help will be really appreciated
>
> Fabrizio
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Looking at the policy postfix_pipe_t is able to write to postfix_spool_t
or postfix_var_run_t, So you could change the labeling of the file to
one of those context.


chcon -t postfix_var_run_t
/etc/config_files/postfix/autoresponder/database.db

To make this permanent
semanage fcontext -a t postfix_var_run_t
/etc/config_files/postfix/autoresponder/database.db

Or you could move the database file to a directory that is already
labeled postfix_spool_t or postfix_var_run_t.

Or you can define a new type postfix_db_t and allow postfix_pipe to
write to the file.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-30-2008, 08:05 AM
"Fabrizio Buratta"
 
Default Postfix pipe command and python scripts

> Looking at the policy postfix_pipe_t is able to write to postfix_spool_t
> or postfix_var_run_t, So you could change the labeling of the file to
> one of those context.
>
I realized that postfix_pipe_t ( postfix/pipe command actually runs
under postfix_pipe_exec_t context ) cannot do
write, add_name , remove_name and unlink either postfix_spool_t or
postfix_var_run_t therefore i had to set it myself.

I'll resume what i've done :

1 - I put my db in /var/spool/postfix/vacation
2 - chcon -u system_u -r object_r -t postfix_spool_t -R
/var/spool/postfix/vacation
3 - chown -R postfix:vacation /var/spool/postfix/vacation
4 - i created vacation.te :

module vacationpolicy 1.0;

require {
type postfix_pipe_t;
type postfix_spool_t;
class dir { write remove_name add_name };
class file { create unlink };
}

#============= postfix_pipe_t ==============
allow postfix_pipe_t postfix_spool_t:dir { write remove_name add_name };
allow postfix_pipe_t postfix_spool_t:file { create unlink };

5 - I created a package and installed it

It worked

Thanks for your help!

Fabrizio

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org