Bug 183928 - SELInux prevents postfix pipe from delivering email to GNU Mailman
Summary: SELInux prevents postfix pipe from delivering email to GNU Mailman
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-03 20:16 UTC by Eric Smith
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-05-05 15:04:42 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Eric Smith 2006-03-03 20:16:05 UTC
Description of problem:

The SELinux targetted policy doesn't allow for postfix/mailman integration
using the postfix pipe transport.  The rules in postfix.te only allow
postfix pipe to transition to procmail, but not to mailman or python.
(The most common method of postfix/mailman integration is using a python
script postfix-to-mailman.py.)

Until this is fixed, I can't run my server in enforcing mode, because none
of the mailing lists will work.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-1.27.1-2.22 (FC4)
selinux-policy-2.2.15-4 (FC5test3)

How reproducible:

100%

Steps to Reproduce:
1.  Set up targeted or strict SELinux policy with enforcing turned on
2.  Install postfix and mailman
3.  Install postfix-to-mailman.py script
4.  Update /etc/postfix/main.cf, /etc/postfix/master.cf, and
/etc/postfix/trasnport per the postfix-to-mailman.py instructions
5.  Run postmap on /etc/postfix/transport to update /etc/postfix/transport.db
6.  Create a mailing list in mailman
7.  Send email to the mailing list submission address
8.  /var/log/maillog will show that the postfix-to-mailman.py script failed to
execute.  /var/log/audit/audit.log will show that SELinux blocked the invocation
of the script due to the postfix_pipe_t policy.
  
Actual results:

Postfix pipe can't deliver email to mailman via the python script

Expected results:

Postfix pipe should deliver email to mailman via the python script

Additional info:

Comment 1 Eric Smith 2006-03-03 20:20:49 UTC
I've brought this up on the Fedora SELinux mailing list, and had some discussion
with Ivan Gyurdiev:

https://www.redhat.com/archives/fedora-selinux-list/2006-March/msg00000.html

Comment 2 Daniel Walsh 2006-03-08 21:55:43 UTC
Hopefully Fixed in  2.2.23-9 :^)

I am allowing a transtion from postfix_pipe_t to mailman_queue_t

Comment 3 Eric Smith 2006-03-30 01:20:17 UTC
I'm still getting an error in Fedora Core 5 with selinux-policy-targeted-2.2.23-25:

Mar 29 17:03:30 donnybrook pipe[32747]: fatal: pipe_comand: execvp
/usr/lib/mailman/bin/postfix-to-mailman-2.1.py: Permission denied
Mar 29 17:03:31 donnybrook postfix/pipe[32746]: 740335004E:
to=<test1.com>, relay=mailman, delay=1, status=bounced (Command
died with status 1:\
 "/usr/lib/mailman/bin/postfix-to-mailman-2.1.py")

It works fine when I turn enforcing off.  Do I need to change the security
context of the postfix-to-mailman-2.1.py script?  Currently I have:
 
system_u:object_r:bin_t          postfix-to-mailman-2.1.py


Comment 5 Daniel Walsh 2006-05-05 15:04:42 UTC
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed


Note You need to log in before you can comment on or make changes to this bug.