183928 – SELInux prevents postfix pipe from delivering email to GNU Mailman

Bug 183928 - SELInux prevents postfix pipe from delivering email to GNU Mailman

Summary: SELInux prevents postfix pipe from delivering email to GNU Mailman

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-03-03 20:16 UTC by Eric Smith
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-05-05 15:04:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Eric Smith 2006-03-03 20:16:05 UTC

Description of problem:

The SELinux targetted policy doesn't allow for postfix/mailman integration
using the postfix pipe transport.  The rules in postfix.te only allow
postfix pipe to transition to procmail, but not to mailman or python.
(The most common method of postfix/mailman integration is using a python
script postfix-to-mailman.py.)

Until this is fixed, I can't run my server in enforcing mode, because none
of the mailing lists will work.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-1.27.1-2.22 (FC4)
selinux-policy-2.2.15-4 (FC5test3)

How reproducible:

100%

Steps to Reproduce:
1.  Set up targeted or strict SELinux policy with enforcing turned on
2.  Install postfix and mailman
3.  Install postfix-to-mailman.py script
4.  Update /etc/postfix/main.cf, /etc/postfix/master.cf, and
/etc/postfix/trasnport per the postfix-to-mailman.py instructions
5.  Run postmap on /etc/postfix/transport to update /etc/postfix/transport.db
6.  Create a mailing list in mailman
7.  Send email to the mailing list submission address
8.  /var/log/maillog will show that the postfix-to-mailman.py script failed to
execute.  /var/log/audit/audit.log will show that SELinux blocked the invocation
of the script due to the postfix_pipe_t policy.
  
Actual results:

Postfix pipe can't deliver email to mailman via the python script

Expected results:

Postfix pipe should deliver email to mailman via the python script

Additional info:

Comment 1 Eric Smith 2006-03-03 20:20:49 UTC

I've brought this up on the Fedora SELinux mailing list, and had some discussion
with Ivan Gyurdiev:

https://www.redhat.com/archives/fedora-selinux-list/2006-March/msg00000.html

Comment 2 Daniel Walsh 2006-03-08 21:55:43 UTC

Hopefully Fixed in  2.2.23-9 :^)

I am allowing a transtion from postfix_pipe_t to mailman_queue_t

Comment 3 Eric Smith 2006-03-30 01:20:17 UTC

I'm still getting an error in Fedora Core 5 with selinux-policy-targeted-2.2.23-25:

Mar 29 17:03:30 donnybrook pipe[32747]: fatal: pipe_comand: execvp
/usr/lib/mailman/bin/postfix-to-mailman-2.1.py: Permission denied
Mar 29 17:03:31 donnybrook postfix/pipe[32746]: 740335004E:
to=<test1.com>, relay=mailman, delay=1, status=bounced (Command
died with status 1:\
 "/usr/lib/mailman/bin/postfix-to-mailman-2.1.py")

It works fine when I turn enforcing off.  Do I need to change the security
context of the postfix-to-mailman-2.1.py script?  Currently I have:
 
system_u:object_r:bin_t          postfix-to-mailman-2.1.py

Comment 5 Daniel Walsh 2006-05-05 15:04:42 UTC

Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed

Note You need to log in before you can comment on or make changes to this bug.