[CentOS] selinux context for mm-handler?

Daniel J Walsh dwalsh at redhat.com
Thu Jan 5 18:28:49 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/05/2012 12:57 PM, Paul Heinlein wrote:
> On Thu, 5 Jan 2012, Daniel J Walsh wrote:
> 
>> On 01/04/2012 05:37 PM, Paul Heinlein wrote:
>>> I've got a Mailman installation running on CentOS 4 that I'd
>>> like to migrate to a CentOS 6 box.
>>> 
>>> My big obstacle at present is getting Mailman's mm-handler
>>> Perl script to run as a Sendmail local mailer with SELinux
>>> enabled.
>>> 
>>> I've tried changing mm-handler's selinux context type a few
>>> times, but nothing has resulted in success [....]
>> 
>> Set it back to its default label and then tell me what AVC
>> messages you are seeing?
> 
> The rpm-supplied file is installed with the documentation, not with
> the binaries:
> 
> /usr/share/doc/mailman-2.1.12/contrib/mm-handler
> 
> Its default type is usr_t. If I reset it to that, sendmail can't
> execute it:
> 
> type=AVC msg=audit(1325785833.463:64862): avc:  denied  { execute }
> for pid=XXXXX comm="sendmail" name="mm-handler" dev=XXX 
> ino=XXXXXXXXXX scontext=unconfined_u:system_r:sendmail_t:s0 
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> 
> I appreciate you looking at this, Dan.
> 
Ok then bin_t would be the label I would try, which would execute the
command as sendmail_t.  Or you could label it mailman_mail_exec_t.
Those would be the only ones I would try.

sendmail_t will transition to mailman_mail_t when it executes
mailman_mail_exec_t.


sesearch -T -s sendmail_t | grep mailman
   type_transition sendmail_t mailman_mail_exec_t : process
mailman_mail_t;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8F6+EACgkQrlYvE4MpobP8NQCeNT06b09LP/Y4Dvb3vY+BaxKR
fm8AnRMMAoRjME74thgal3o1/dro+8HT
=n1+s
-----END PGP SIGNATURE-----



More information about the CentOS mailing list