Mailman AVCs

Todd Zullinger tmz at pobox.com
Sun Nov 16 20:11:27 UTC 2008 

In response to a thread on the mailman-users list regarding problems
creating a new list via mailman's web interface¹, I did some testing
on CentOS 5 and Fedora 9.  There are a small number of SELinux denials
when using mailman with postfix that would be nice to get fixed up.

For background, mailman has some nice integration with postfix which
allows list aliases to be setup automatically (as opposed to having an
admin manually add new list aliases to /etc/aliases or what have you).
This is documented in the mailman install manual².

When setting up mailman to work with postfix, the following denials
are seen on Fedora 9 (they are slightly different on CentOS 5,
unsurprisingly):

    type=AVC msg=audit(1226861409.980:83): avc:  denied  { search } for  pid=24239 comm="postalias" name="postfix" dev=sda2 ino=213317 scontext=unconfined_u:system_r:mailman_cgi_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir
    type=AVC msg=audit(1226861409.980:83): avc:  denied  { read } for  pid=24239 comm="postalias" name="main.cf" dev=sda2 ino=216184 scontext=unconfined_u:system_r:mailman_cgi_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file
    type=AVC msg=audit(1226861409.990:84): avc:  denied  { getattr } for  pid=24239 comm="postalias" path="/etc/postfix/main.cf" dev=sda2 ino=216184 scontext=unconfined_u:system_r:mailman_cgi_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file
    type=AVC msg=audit(1226861755.237:93): avc:  denied  { read write } for  pid=24597 comm="mailman" path="socket:[1115689]" dev=sockfs ino=1115689 scontext=system_u:system_r:mailman_mail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=udp_socket

Using audit2allow, I ended up with the following policy:

    module mailmanpostfix 1.0;

    require {
            type mailman_cgi_t;
            type mailman_mail_t;
            type postfix_etc_t;
            type postfix_local_t;
            class dir search;
            class file { read getattr };
            class udp_socket { read write };
    }

    #============= mailman_cgi_t ==============
    allow mailman_cgi_t postfix_etc_t:dir search;
    allow mailman_cgi_t postfix_etc_t:file { read getattr };

    #============= mailman_mail_t ==============
    allow mailman_mail_t postfix_local_t:udp_socket { read write };

I'd love to help get this integrated into the official SELinux policy
packages for Fedora (and CentOS/RHEL if possible).  I am not certain
if the above policy can be tightened up or not.  Any help there would
be very much appreciated.

¹ http://www.mail-archive.com/mailman-users%40python.org/msg51591.html
  (The policy from the denials on CentOS 5 are in this thread.)

² http://www.gnu.org/software/mailman/mailman-install/node12.html and
  http://www.gnu.org/software/mailman/mailman-install/node13.html

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Happiness is like peeing on yourself. Everyone can see it, but only
you can feel its warmth

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20081116/5f37e25f/attachment.sig>

More information about the fedora-selinux-list mailing list