[CentOS] selinux context for mm-handler?

Thu Jan 5 18:47:14 UTC 2012
Paul Heinlein <heinlein at madboa.com>

On Thu, 5 Jan 2012, Daniel J Walsh wrote:

>>>> My big obstacle at present is getting Mailman's mm-handler Perl 
>>>> script to run as a Sendmail local mailer with SELinux enabled.
>>>>
>>>> I've tried changing mm-handler's selinux context type a few 
>>>> times, but nothing has resulted in success [....]
>>>
>>> Set it back to its default label and then tell me what AVC 
>>> messages you are seeing?
>>
>> The rpm-supplied file is installed with the documentation, not with 
>> the binaries:
>>
>> /usr/share/doc/mailman-2.1.12/contrib/mm-handler
>>
>> Its default type is usr_t. If I reset it to that, sendmail can't
>> execute it:
>>
>> type=AVC msg=audit(1325785833.463:64862): avc:  denied  { execute }
>> for pid=XXXXX comm="sendmail" name="mm-handler" dev=XXX
>> ino=XXXXXXXXXX scontext=unconfined_u:system_r:sendmail_t:s0
>> tcontext=system_u:object_r:usr_t:s0 tclass=file
>>
>> I appreciate you looking at this, Dan.
>>
> Ok then bin_t would be the label I would try, which would execute the
> command as sendmail_t.  Or you could label it mailman_mail_exec_t.
> Those would be the only ones I would try.

With a bin_t context, mm-handler can't read mailman data:

type=AVC
msg=audit(1325788342.593:64979): avc:  denied  { getattr } for
pid=XXXX
comm="mm-handler"
path="/var/lib/mailman/lists/listtest/config.pck"
dev=XXXX
ino=XXXX
scontext=unconfined_u:system_r:sendmail_t:s0 
tcontext=system_u:object_r:mailman_data_t:s0
tclass=file

With a mailman_mail_exec_t context, mm-handler can't open its Perl 
libraries:

type=AVC
msg=audit(1325788608.288:64986): avc:  denied  { getattr } for
pid=XXXX
comm="mm-handler"
path="/usr/share/perl5/FileHandle.pm"
dev=XXXX
ino=XXXX
scontext=unconfined_u:system_r:mailman_mail_t:s0
tcontext=system_u:object_r:usr_t:s0
tclass=file

I suspect at this point that I'll have to write a local exception 
policy. Which is the lesser of the two evils:

   * let mailman_mail_t access usr_t files, or
   * let sendmail_t access mailman_data_t files?

I'm leaning toward the latter.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/