[CentOS] selinux context for mm-handler?
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 5 18:28:49 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/05/2012 12:57 PM, Paul Heinlein wrote:
> On Thu, 5 Jan 2012, Daniel J Walsh wrote:
>
>> On 01/04/2012 05:37 PM, Paul Heinlein wrote:
>>> I've got a Mailman installation running on CentOS 4 that I'd
>>> like to migrate to a CentOS 6 box.
>>>
>>> My big obstacle at present is getting Mailman's mm-handler
>>> Perl script to run as a Sendmail local mailer with SELinux
>>> enabled.
>>>
>>> I've tried changing mm-handler's selinux context type a few
>>> times, but nothing has resulted in success [....]
>>
>> Set it back to its default label and then tell me what AVC
>> messages you are seeing?
>
> The rpm-supplied file is installed with the documentation, not with
> the binaries:
>
> /usr/share/doc/mailman-2.1.12/contrib/mm-handler
>
> Its default type is usr_t. If I reset it to that, sendmail can't
> execute it:
>
> type=AVC msg=audit(1325785833.463:64862): avc: denied { execute }
> for pid=XXXXX comm="sendmail" name="mm-handler" dev=XXX
> ino=XXXXXXXXXX scontext=unconfined_u:system_r:sendmail_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> I appreciate you looking at this, Dan.
>
Ok then bin_t would be the label I would try, which would execute the
command as sendmail_t. Or you could label it mailman_mail_exec_t.
Those would be the only ones I would try.
sendmail_t will transition to mailman_mail_t when it executes
mailman_mail_exec_t.
sesearch -T -s sendmail_t | grep mailman
type_transition sendmail_t mailman_mail_exec_t : process
mailman_mail_t;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8F6+EACgkQrlYvE4MpobP8NQCeNT06b09LP/Y4Dvb3vY+BaxKR
fm8AnRMMAoRjME74thgal3o1/dro+8HT
=n1+s
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list