Mailman/Postfix execute_no_trans denial

Tue May 23 07:08:56 UTC 2006

On Mon, 2006-05-22 at 20:17 -0400, Todd Zullinger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I wrote:
> > When I get a moment I'll boot to FC5 and try changing the context to
> > see what happens.
> 
> Changing the context on /usr/lib/mailman/mail/mailman from lib_t to
> bin_t does get things further, and on to the next set of denials.
> 
> The avc messages:
> 
> May 22 20:06:36 localhost kernel: audit(1148342796.414:35): avc:  denied  { create } for  pid=9382 comm="python" scontext=user_u:system_r:postfix_local_t:s0 tcontext=user_u:system_r:postfix_local_t:s0 tclass=netlink_route_socket

I get lots of these for webalizer run from cron, which I queried about
yesterday. I don't know what this is.

> May 22 20:06:36 localhost kernel: audit(1148342796.578:36): avc:  denied  { search } for  pid=9382 comm="python" name="log" dev=sda2 ino=489147 scontext=user_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir

Looks like mailman trying to read the log file directory. May need a
policy change for this - I needed something similar for procmail.

> May 22 20:06:36 localhost kernel: audit(1148342796.582:37): avc:  denied  { write } for  pid=9382 comm="python" name="in" dev=sda2 ino=491751 scontext=user_u:system_r:postfix_local_t:s0 tcontext=user_u:object_r:mailman_data_t:s0 tclass=dir

Failed trying to write new file to directory /var/spool/mailman/in.

I wonder if the mailman policy was written specifically with sendmail in
mind rather than postfix?

> The postfix messages:
> 
> May 22 20:06:36 localhost postfix/pickup[9212]: 4CD6513687C: uid=500 from=<tmz>
> May 22 20:06:36 localhost postfix/cleanup[9379]: 4CD6513687C: message-id=<20060523000636.GE9258 at localhost.localdomain>
> May 22 20:06:36 localhost postfix/qmgr[9213]: 4CD6513687C: from=<tmz at localhost.localdomain>, size=463, nrcpt=1 (queue active)
> May 22 20:06:36 localhost postfix/local[9381]: 4CD6513687C: to=<pgp-test at localhost.localdomain>, relay=local, delay=0, status=bounced (Command died with status 1: "/usr/lib/mailman/mail/mailman post pgp-test". Command output: Traceback (most recent call last):   File "/usr/lib/mailman/scripts/post", line 69, in ?     main()   File "/usr/lib/mailman/scripts/post", line 64, in main     tolist=1, _plaintext=1)   File "/usr/lib/mailman/Mailman/Queue/Switchboard.py", line 126, in enqueue     fp = open(tmpfile, 'w') IOError: [Errno 13] Permission denied: '/var/spool/mailman/in/1148342796.5827579+b203c4871f8a8269deaef98890980ed0bff9cedb.pck.tmp' )
> May 22 20:06:36 localhost postfix/cleanup[9379]: 989B4136A2C: message-id=<20060523000636.989B4136A2C at localhost.localdomain>
> 
> I'm not sure whether it's worth trying to chase every denial down this
> path or if there is a better fix that can be applied.

I'm not sure. Running in permissive mode for a while should show up all
the denials you'll come across, but they might not all need allowing,
and if something has the wrong label, as appears to be the case
with /usr/lib/mailman/mail/mailman, then the denials won't be useful
anyway.

Paul.