Bug 183928 - SELInux prevents postfix pipe from delivering email to GNU Mailman
SELInux prevents postfix pipe from delivering email to GNU Mailman
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2006-03-03 15:16 EST by Eric Smith
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-05 11:04:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eric Smith 2006-03-03 15:16:05 EST
Description of problem:

The SELinux targetted policy doesn't allow for postfix/mailman integration
using the postfix pipe transport.  The rules in postfix.te only allow
postfix pipe to transition to procmail, but not to mailman or python.
(The most common method of postfix/mailman integration is using a python
script postfix-to-mailman.py.)

Until this is fixed, I can't run my server in enforcing mode, because none
of the mailing lists will work.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-1.27.1-2.22 (FC4)
selinux-policy-2.2.15-4 (FC5test3)

How reproducible:


Steps to Reproduce:
1.  Set up targeted or strict SELinux policy with enforcing turned on
2.  Install postfix and mailman
3.  Install postfix-to-mailman.py script
4.  Update /etc/postfix/main.cf, /etc/postfix/master.cf, and
/etc/postfix/trasnport per the postfix-to-mailman.py instructions
5.  Run postmap on /etc/postfix/transport to update /etc/postfix/transport.db
6.  Create a mailing list in mailman
7.  Send email to the mailing list submission address
8.  /var/log/maillog will show that the postfix-to-mailman.py script failed to
execute.  /var/log/audit/audit.log will show that SELinux blocked the invocation
of the script due to the postfix_pipe_t policy.
Actual results:

Postfix pipe can't deliver email to mailman via the python script

Expected results:

Postfix pipe should deliver email to mailman via the python script

Additional info:
Comment 1 Eric Smith 2006-03-03 15:20:49 EST
I've brought this up on the Fedora SELinux mailing list, and had some discussion
with Ivan Gyurdiev:

Comment 2 Daniel Walsh 2006-03-08 16:55:43 EST
Hopefully Fixed in  2.2.23-9 :^)

I am allowing a transtion from postfix_pipe_t to mailman_queue_t
Comment 3 Eric Smith 2006-03-29 20:20:17 EST
I'm still getting an error in Fedora Core 5 with selinux-policy-targeted-2.2.23-25:

Mar 29 17:03:30 donnybrook pipe[32747]: fatal: pipe_comand: execvp
/usr/lib/mailman/bin/postfix-to-mailman-2.1.py: Permission denied
Mar 29 17:03:31 donnybrook postfix/pipe[32746]: 740335004E:
to=<test1@lists.brouhaha.com>, relay=mailman, delay=1, status=bounced (Command
died with status 1:\

It works fine when I turn enforcing off.  Do I need to change the security
context of the postfix-to-mailman-2.1.py script?  Currently I have:
system_u:object_r:bin_t          postfix-to-mailman-2.1.py
Comment 5 Daniel Walsh 2006-05-05 11:04:42 EDT
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed

Note You need to log in before you can comment on or make changes to this bug.