Bug 183928

Summary: SELInux prevents postfix pipe from delivering email to GNU Mailman
Product: [Fedora] Fedora Reporter: Eric Smith <spacewar>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-05 15:04:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Smith 2006-03-03 20:16:05 UTC 
Description of problem:

The SELinux targetted policy doesn't allow for postfix/mailman integration
using the postfix pipe transport.  The rules in postfix.te only allow
postfix pipe to transition to procmail, but not to mailman or python.
(The most common method of postfix/mailman integration is using a python
script postfix-to-mailman.py.)

Until this is fixed, I can't run my server in enforcing mode, because none
of the mailing lists will work.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-1.27.1-2.22 (FC4)
selinux-policy-2.2.15-4 (FC5test3)

How reproducible:

100%

Steps to Reproduce:
1.  Set up targeted or strict SELinux policy with enforcing turned on
2.  Install postfix and mailman
3.  Install postfix-to-mailman.py script
4.  Update /etc/postfix/main.cf, /etc/postfix/master.cf, and
/etc/postfix/trasnport per the postfix-to-mailman.py instructions
5.  Run postmap on /etc/postfix/transport to update /etc/postfix/transport.db
6.  Create a mailing list in mailman
7.  Send email to the mailing list submission address
8.  /var/log/maillog will show that the postfix-to-mailman.py script failed to
execute.  /var/log/audit/audit.log will show that SELinux blocked the invocation
of the script due to the postfix_pipe_t policy.
  
Actual results:

Postfix pipe can't deliver email to mailman via the python script

Expected results:

Postfix pipe should deliver email to mailman via the python script

Additional info:
Comment 1 Eric Smith 2006-03-03 20:20:49 UTC 
I've brought this up on the Fedora SELinux mailing list, and had some discussion
with Ivan Gyurdiev:

https://www.redhat.com/archives/fedora-selinux-list/2006-March/msg00000.html
Comment 2 Daniel Walsh 2006-03-08 21:55:43 UTC 
Hopefully Fixed in  2.2.23-9 :^)

I am allowing a transtion from postfix_pipe_t to mailman_queue_t
Comment 3 Eric Smith 2006-03-30 01:20:17 UTC 
I'm still getting an error in Fedora Core 5 with selinux-policy-targeted-2.2.23-25:

Mar 29 17:03:30 donnybrook pipe[32747]: fatal: pipe_comand: execvp
/usr/lib/mailman/bin/postfix-to-mailman-2.1.py: Permission denied
Mar 29 17:03:31 donnybrook postfix/pipe[32746]: 740335004E:
to=<test1.com>, relay=mailman, delay=1, status=bounced (Command
died with status 1:\
 "/usr/lib/mailman/bin/postfix-to-mailman-2.1.py")

It works fine when I turn enforcing off.  Do I need to change the security
context of the postfix-to-mailman-2.1.py script?  Currently I have:
 
system_u:object_r:bin_t          postfix-to-mailman-2.1.py
Comment 5 Daniel Walsh 2006-05-05 15:04:42 UTC 
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed