[CentOS] selinux context for mm-handler?

Thu Jan 5 20:13:28 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/05/2012 01:47 PM, Paul Heinlein wrote:
> On Thu, 5 Jan 2012, Daniel J Walsh wrote:
> 
>>>>> My big obstacle at present is getting Mailman's mm-handler
>>>>> Perl script to run as a Sendmail local mailer with SELinux
>>>>> enabled.
>>>>> 
>>>>> I've tried changing mm-handler's selinux context type a few
>>>>> times, but nothing has resulted in success [....]
>>>> 
>>>> Set it back to its default label and then tell me what AVC
>>>> messages you are seeing?
>>> 
>>> The rpm-supplied file is installed with the documentation, not
>>> with the binaries:
>>> 
>>> /usr/share/doc/mailman-2.1.12/contrib/mm-handler
>>> 
>>> Its default type is usr_t. If I reset it to that, sendmail
>>> can't execute it:
>>> 
>>> type=AVC msg=audit(1325785833.463:64862): avc:  denied  {
>>> execute } for pid=XXXXX comm="sendmail" name="mm-handler"
>>> dev=XXX ino=XXXXXXXXXX
>>> scontext=unconfined_u:system_r:sendmail_t:s0 
>>> tcontext=system_u:object_r:usr_t:s0 tclass=file
>>> 
>>> I appreciate you looking at this, Dan.
>>> 
>> Ok then bin_t would be the label I would try, which would execute
>> the command as sendmail_t.  Or you could label it
>> mailman_mail_exec_t. Those would be the only ones I would try.
> 
> With a bin_t context, mm-handler can't read mailman data:
> 
> type=AVC msg=audit(1325788342.593:64979): avc:  denied  { getattr }
> for pid=XXXX comm="mm-handler" 
> path="/var/lib/mailman/lists/listtest/config.pck" dev=XXXX 
> ino=XXXX scontext=unconfined_u:system_r:sendmail_t:s0 
> tcontext=system_u:object_r:mailman_data_t:s0 tclass=file
> 
> With a mailman_mail_exec_t context, mm-handler can't open its Perl 
> libraries:
> 
> type=AVC msg=audit(1325788608.288:64986): avc:  denied  { getattr }
> for pid=XXXX comm="mm-handler" 
> path="/usr/share/perl5/FileHandle.pm" dev=XXXX ino=XXXX 
> scontext=unconfined_u:system_r:mailman_mail_t:s0 
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> 
> I suspect at this point that I'll have to write a local exception 
> policy. Which is the lesser of the two evils:
> 
> * let mailman_mail_t access usr_t files, or * let sendmail_t access
> mailman_data_t files?
> 
> I'm leaning toward the latter.
> 

Yes I agree, mailman_mail_t is better, and latest fedora policy has
files_read_usr_files(mailman_mail_t).

I will get it back ported into RHEL6.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8GBGgACgkQrlYvE4MpobMkMQCfRQzKhN2I+wVhwnETLKT2Z70Q
sU0AoNflG7TeynX0uXwQtRTOKaeX0GcD
=5eg5
-----END PGP SIGNATURE-----