-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/05/2012 12:57 PM, Paul Heinlein wrote:
On Thu, 5 Jan 2012, Daniel J Walsh wrote:
On 01/04/2012 05:37 PM, Paul Heinlein wrote:
I've got a Mailman installation running on CentOS 4 that I'd like to migrate to a CentOS 6 box.
My big obstacle at present is getting Mailman's mm-handler Perl script to run as a Sendmail local mailer with SELinux enabled.
I've tried changing mm-handler's selinux context type a few times, but nothing has resulted in success [....]
Set it back to its default label and then tell me what AVC messages you are seeing?
The rpm-supplied file is installed with the documentation, not with the binaries:
/usr/share/doc/mailman-2.1.12/contrib/mm-handler
Its default type is usr_t. If I reset it to that, sendmail can't execute it:
type=AVC msg=audit(1325785833.463:64862): avc: denied { execute } for pid=XXXXX comm="sendmail" name="mm-handler" dev=XXX ino=XXXXXXXXXX scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
I appreciate you looking at this, Dan.
Ok then bin_t would be the label I would try, which would execute the command as sendmail_t. Or you could label it mailman_mail_exec_t. Those would be the only ones I would try.
sendmail_t will transition to mailman_mail_t when it executes mailman_mail_exec_t.
sesearch -T -s sendmail_t | grep mailman type_transition sendmail_t mailman_mail_exec_t : process mailman_mail_t;