I've got a Mailman installation running on CentOS 4 that I'd like to migrate to a CentOS 6 box.
My big obstacle at present is getting Mailman's mm-handler Perl script to run as a Sendmail local mailer with SELinux enabled.
I've tried changing mm-handler's selinux context type a few times, but nothing has resulted in success:
context result ------------------- ----------------------------------------- etc_mail_t sendmail can't execute mm-handler mailman_mail_exec_t mm-handler can't load perl modules bin_t mm-handler can't read Mailman data sendmail_exec_t mm-handler can't read Mailman data
I'm willing and able to whip up a local policy modification, but I thought I'd ask if there's a standard solution to this problem; my Google searches have so far proven ineffective at providing pointers to an answer.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/04/2012 05:37 PM, Paul Heinlein wrote:
I've got a Mailman installation running on CentOS 4 that I'd like to migrate to a CentOS 6 box.
My big obstacle at present is getting Mailman's mm-handler Perl script to run as a Sendmail local mailer with SELinux enabled.
I've tried changing mm-handler's selinux context type a few times, but nothing has resulted in success:
context result ------------------- ----------------------------------------- etc_mail_t sendmail can't execute mm-handler mailman_mail_exec_t mm-handler can't load perl modules bin_t mm-handler can't read Mailman data sendmail_exec_t mm-handler can't read Mailman data
I'm willing and able to whip up a local policy modification, but I thought I'd ask if there's a standard solution to this problem; my Google searches have so far proven ineffective at providing pointers to an answer.
Set it back to its default label and then tell me what AVC messages you are seeing?
On Thu, 5 Jan 2012, Daniel J Walsh wrote:
On 01/04/2012 05:37 PM, Paul Heinlein wrote:
I've got a Mailman installation running on CentOS 4 that I'd like to migrate to a CentOS 6 box.
My big obstacle at present is getting Mailman's mm-handler Perl script to run as a Sendmail local mailer with SELinux enabled.
I've tried changing mm-handler's selinux context type a few times, but nothing has resulted in success [....]
Set it back to its default label and then tell me what AVC messages you are seeing?
The rpm-supplied file is installed with the documentation, not with the binaries:
/usr/share/doc/mailman-2.1.12/contrib/mm-handler
Its default type is usr_t. If I reset it to that, sendmail can't execute it:
type=AVC msg=audit(1325785833.463:64862): avc: denied { execute } for pid=XXXXX comm="sendmail" name="mm-handler" dev=XXX ino=XXXXXXXXXX scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
I appreciate you looking at this, Dan.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/05/2012 12:57 PM, Paul Heinlein wrote:
On Thu, 5 Jan 2012, Daniel J Walsh wrote:
On 01/04/2012 05:37 PM, Paul Heinlein wrote:
I've got a Mailman installation running on CentOS 4 that I'd like to migrate to a CentOS 6 box.
My big obstacle at present is getting Mailman's mm-handler Perl script to run as a Sendmail local mailer with SELinux enabled.
I've tried changing mm-handler's selinux context type a few times, but nothing has resulted in success [....]
Set it back to its default label and then tell me what AVC messages you are seeing?
The rpm-supplied file is installed with the documentation, not with the binaries:
/usr/share/doc/mailman-2.1.12/contrib/mm-handler
Its default type is usr_t. If I reset it to that, sendmail can't execute it:
type=AVC msg=audit(1325785833.463:64862): avc: denied { execute } for pid=XXXXX comm="sendmail" name="mm-handler" dev=XXX ino=XXXXXXXXXX scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
I appreciate you looking at this, Dan.
Ok then bin_t would be the label I would try, which would execute the command as sendmail_t. Or you could label it mailman_mail_exec_t. Those would be the only ones I would try.
sendmail_t will transition to mailman_mail_t when it executes mailman_mail_exec_t.
sesearch -T -s sendmail_t | grep mailman type_transition sendmail_t mailman_mail_exec_t : process mailman_mail_t;
On Thu, 5 Jan 2012, Daniel J Walsh wrote:
My big obstacle at present is getting Mailman's mm-handler Perl script to run as a Sendmail local mailer with SELinux enabled.
I've tried changing mm-handler's selinux context type a few times, but nothing has resulted in success [....]
Set it back to its default label and then tell me what AVC messages you are seeing?
The rpm-supplied file is installed with the documentation, not with the binaries:
/usr/share/doc/mailman-2.1.12/contrib/mm-handler
Its default type is usr_t. If I reset it to that, sendmail can't execute it:
type=AVC msg=audit(1325785833.463:64862): avc: denied { execute } for pid=XXXXX comm="sendmail" name="mm-handler" dev=XXX ino=XXXXXXXXXX scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
I appreciate you looking at this, Dan.
Ok then bin_t would be the label I would try, which would execute the command as sendmail_t. Or you could label it mailman_mail_exec_t. Those would be the only ones I would try.
With a bin_t context, mm-handler can't read mailman data:
type=AVC msg=audit(1325788342.593:64979): avc: denied { getattr } for pid=XXXX comm="mm-handler" path="/var/lib/mailman/lists/listtest/config.pck" dev=XXXX ino=XXXX scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:mailman_data_t:s0 tclass=file
With a mailman_mail_exec_t context, mm-handler can't open its Perl libraries:
type=AVC msg=audit(1325788608.288:64986): avc: denied { getattr } for pid=XXXX comm="mm-handler" path="/usr/share/perl5/FileHandle.pm" dev=XXXX ino=XXXX scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
I suspect at this point that I'll have to write a local exception policy. Which is the lesser of the two evils:
* let mailman_mail_t access usr_t files, or * let sendmail_t access mailman_data_t files?
I'm leaning toward the latter.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/05/2012 01:47 PM, Paul Heinlein wrote:
On Thu, 5 Jan 2012, Daniel J Walsh wrote:
My big obstacle at present is getting Mailman's mm-handler Perl script to run as a Sendmail local mailer with SELinux enabled.
I've tried changing mm-handler's selinux context type a few times, but nothing has resulted in success [....]
Set it back to its default label and then tell me what AVC messages you are seeing?
The rpm-supplied file is installed with the documentation, not with the binaries:
/usr/share/doc/mailman-2.1.12/contrib/mm-handler
Its default type is usr_t. If I reset it to that, sendmail can't execute it:
type=AVC msg=audit(1325785833.463:64862): avc: denied { execute } for pid=XXXXX comm="sendmail" name="mm-handler" dev=XXX ino=XXXXXXXXXX scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
I appreciate you looking at this, Dan.
Ok then bin_t would be the label I would try, which would execute the command as sendmail_t. Or you could label it mailman_mail_exec_t. Those would be the only ones I would try.
With a bin_t context, mm-handler can't read mailman data:
type=AVC msg=audit(1325788342.593:64979): avc: denied { getattr } for pid=XXXX comm="mm-handler" path="/var/lib/mailman/lists/listtest/config.pck" dev=XXXX ino=XXXX scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:mailman_data_t:s0 tclass=file
With a mailman_mail_exec_t context, mm-handler can't open its Perl libraries:
type=AVC msg=audit(1325788608.288:64986): avc: denied { getattr } for pid=XXXX comm="mm-handler" path="/usr/share/perl5/FileHandle.pm" dev=XXXX ino=XXXX scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
I suspect at this point that I'll have to write a local exception policy. Which is the lesser of the two evils:
- let mailman_mail_t access usr_t files, or * let sendmail_t access
mailman_data_t files?
I'm leaning toward the latter.
Yes I agree, mailman_mail_t is better, and latest fedora policy has files_read_usr_files(mailman_mail_t).
I will get it back ported into RHEL6.