FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 08-25-2011, 03:52 PM
Fulko Hew
 
Default selinux + mailman +postfix security problem (F14)

On Fedora 14, I am setting up postfix and mailman.

I had this working once, but I decided to yum erase postfix and mailman
and redo the configuration to prove I knew how to recreate it.



Turns out I don't know how to recreate a working combination
because when creating a new list I now have mailman error log that
talks about:

command failed: /usr/sbin/postalias /etc/mailman/aliases (status: 1, Operation not permitted)



and a corresponding AVC error:

Aug 25 10:28:54 (null) (null): audit(1314282534.501:4326): avc: denied { search } for
pid=12121 comm=postalias name=postfix ino=295074 dev=dm-0
scontext=system_u:system_r:mailman_cgi_t:s0


tcontext=system_ubject_rostfix_etc_t:s0 tclass=dir

Suggestions?

Fulko


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-25-2011, 04:13 PM
Marcos Luis Ortiz Valmaseda
 
Default selinux + mailman +postfix security problem (F14)

Can you provide the ls -Z of your content in /etc/mailman/aliases
A advice:, use sealert to see a more human-readable approach to analyze the SELinux logs.


2011/8/25 Fulko Hew <fulko.hew@gmail.com>

On Fedora 14, I am setting up postfix and mailman.

I had this working once, but I decided to yum erase postfix and mailman

and redo the configuration to prove I knew how to recreate it.



Turns out I don't know how to recreate a working combination
because when creating a new list I now have mailman error log that
talks about:

command failed: /usr/sbin/postalias /etc/mailman/aliases (status: 1, Operation not permitted)




and a corresponding AVC error:

Aug 25 10:28:54 (null) (null): audit(1314282534.501:4326): avc: denied { search } for
pid=12121 comm=postalias name=postfix ino=295074 dev=dm-0
scontext=system_u:system_r:mailman_cgi_t:s0



tcontext=system_ubject_rostfix_etc_t:s0 tclass=dir

Suggestions?

Fulko



--

users mailing list

users@lists.fedoraproject.org

To unsubscribe or change subscription options:

https://admin.fedoraproject.org/mailman/listinfo/users

Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines




--
--
Marcos Luis Ortíz Valmaseda
*Software Engineer (UCI)
*Linux User # 418229
*http://marcosluis2186.posterous.com

*http://www.linkedin.com/in/marcosluis2186
*https://fedoraproject.org/wiki/User:Marcosluis


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-25-2011, 04:16 PM
Fulko Hew
 
Default selinux + mailman +postfix security problem (F14)

On Thu, Aug 25, 2011 at 12:13 PM, Marcos Luis Ortiz Valmaseda <marcosluis2186@googlemail.com> wrote:


Can you provide the ls -Z of your content in /etc/mailman/aliases

*[root@netwatch log]# ls -Z /etc/mailman/aliases


-rw-rw----. root mailman unconfined_ubject_r:mailman_data_t:s0 /etc/mailman/aliases



A advice:, use sealert to see a more human-readable approach to analyze the SELinux logs.

While waiting for a response from the list... I had just (discovered and) done a:

# grep postalias /var/log/audit/audit.log | audit2allow -M mypol


# semodule -i mypol.pp

But I haven't tested it yet.
*




2011/8/25 Fulko Hew <fulko.hew@gmail.com>

On Fedora 14, I am setting up postfix and mailman.



I had this working once, but I decided to yum erase postfix and mailman

and redo the configuration to prove I knew how to recreate it.



Turns out I don't know how to recreate a working combination
because when creating a new list I now have mailman error log that
talks about:

command failed: /usr/sbin/postalias /etc/mailman/aliases (status: 1, Operation not permitted)






and a corresponding AVC error:

Aug 25 10:28:54 (null) (null): audit(1314282534.501:4326): avc: denied { search } for
pid=12121 comm=postalias name=postfix ino=295074 dev=dm-0
scontext=system_u:system_r:mailman_cgi_t:s0





tcontext=system_ubject_rostfix_etc_t:s0 tclass=dir

Suggestions?

Fulko


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-25-2011, 04:20 PM
Marcos Luis Ortiz Valmaseda
 
Default selinux + mailman +postfix security problem (F14)

Well, test it and say the response to us.


2011/8/25 Fulko Hew <fulko.hew@gmail.com>



On Thu, Aug 25, 2011 at 12:13 PM, Marcos Luis Ortiz Valmaseda <marcosluis2186@googlemail.com> wrote:



Can you provide the ls -Z of your content in /etc/mailman/aliases

*[root@netwatch log]# ls -Z /etc/mailman/aliases



-rw-rw----. root mailman unconfined_ubject_r:mailman_data_t:s0 /etc/mailman/aliases




A advice:, use sealert to see a more human-readable approach to analyze the SELinux logs.

While waiting for a response from the list... I had just (discovered and) done a:

# grep postalias /var/log/audit/audit.log | audit2allow -M mypol



# semodule -i mypol.pp

But I haven't tested it yet.
*





2011/8/25 Fulko Hew <fulko.hew@gmail.com>

On Fedora 14, I am setting up postfix and mailman.




I had this working once, but I decided to yum erase postfix and mailman

and redo the configuration to prove I knew how to recreate it.



Turns out I don't know how to recreate a working combination
because when creating a new list I now have mailman error log that
talks about:

command failed: /usr/sbin/postalias /etc/mailman/aliases (status: 1, Operation not permitted)







and a corresponding AVC error:

Aug 25 10:28:54 (null) (null): audit(1314282534.501:4326): avc: denied { search } for
pid=12121 comm=postalias name=postfix ino=295074 dev=dm-0
scontext=system_u:system_r:mailman_cgi_t:s0






tcontext=system_ubject_rostfix_etc_t:s0 tclass=dir

Suggestions?

Fulko



--

users mailing list

users@lists.fedoraproject.org

To unsubscribe or change subscription options:

https://admin.fedoraproject.org/mailman/listinfo/users

Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines




--
--
Marcos Luis Ortíz Valmaseda
*Software Engineer (UCI)
*Linux User # 418229
*http://marcosluis2186.posterous.com

*http://www.linkedin.com/in/marcosluis2186
*https://fedoraproject.org/wiki/User:Marcosluis


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-25-2011, 06:15 PM
Daniel J Walsh
 
Default selinux + mailman +postfix security problem (F14)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/25/2011 11:52 AM, Fulko Hew wrote:
> On Fedora 14, I am setting up postfix and mailman.
>
> I had this working once, but I decided to yum erase postfix and
> mailman and redo the configuration to prove I knew how to recreate
> it.
>
> Turns out I don't know how to recreate a working combination
> because when creating a new list I now have mailman error log that
> talks about:
>
> command failed: /usr/sbin/postalias /etc/mailman/aliases (status:
> 1, Operation not permitted)
>
> and a corresponding AVC error:
>
> Aug 25 10:28:54 (null) (null): audit(1314282534.501:4326): avc:
> denied { search } for pid=12121 comm=postalias name=postfix
> ino=295074 dev=dm-0 scontext=system_u:system_r:mailman_cgi_t:s0
> tcontext=system_ubject_rostfix_etc_t:s0 tclass=dir
>
> Suggestions?
>
> Fulko
>
>
>
restorecon -R -v /etc/mailman

Should change the label.

Should be

system_ubject_r:mailman_data_t:s0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5WkTMACgkQrlYvE4MpobOasgCeIdIyRBaKF3 hgzcvscoad168f
iKUAnj/kTOp9HFmYVU0452BY/yanXiyS
=6UeM
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 09-12-2011, 12:38 PM
Fulko Hew
 
Default selinux + mailman +postfix security problem (F14)

On Thu, Aug 25, 2011 at 12:20 PM, Marcos Luis Ortiz Valmaseda <marcosluis2186@googlemail.com> wrote:



Well, test it and say the response to us.

So the first issue was:
SELinux is preventing /usr/sbin/postalias from search access on the directory /etc/postfix.




It then complained (one at a time) about:
SELinux is preventing /usr/sbin/postalias from read access on the file /etc/postfix/main.cf.
SELinux is preventing /usr/sbin/postalias from open access on the file /etc/postfix/main.cf.




SELinux is preventing /usr/sbin/postalias from getattr access on the file /etc/postfix/main.cf.

So I* redid 'audit2allow' over and over to get past each problem.



...I can continue to do this, or disable SELinux, but I shouldn't have to,

** something else is wrong here.* ;-(

Finally, I can now create a new mailing list.
*



2011/8/25 Fulko Hew <fulko.hew@gmail.com>






On Thu, Aug 25, 2011 at 12:13 PM, Marcos Luis Ortiz Valmaseda <marcosluis2186@googlemail.com> wrote:






Can you provide the ls -Z of your content in /etc/mailman/aliases

*[root@netwatch log]# ls -Z /etc/mailman/aliases






-rw-rw----. root mailman unconfined_ubject_r:mailman_data_t:s0 /etc/mailman/aliases







A advice:, use sealert to see a more human-readable approach to analyze the SELinux logs.

While waiting for a response from the list... I had just (discovered and) done a:

# grep postalias /var/log/audit/audit.log | audit2allow -M mypol






# semodule -i mypol.pp

But I haven't tested it yet.
*





2011/8/25 Fulko Hew <fulko.hew@gmail.com>

On Fedora 14, I am setting up postfix and mailman.







I had this working once, but I decided to yum erase postfix and mailman

and redo the configuration to prove I knew how to recreate it.



Turns out I don't know how to recreate a working combination
because when creating a new list I now have mailman error log that
talks about:

command failed: /usr/sbin/postalias /etc/mailman/aliases (status: 1, Operation not permitted)










and a corresponding AVC error:

Aug 25 10:28:54 (null) (null): audit(1314282534.501:4326): avc: denied { search } for
pid=12121 comm=postalias name=postfix ino=295074 dev=dm-0
scontext=system_u:system_r:mailman_cgi_t:s0









tcontext=system_ubject_rostfix_etc_t:s0 tclass=dir

Suggestions?

Fulko


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 07:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org