Description of problem: The SELinux targetted policy doesn't allow for postfix/mailman integration using the postfix pipe transport. The rules in postfix.te only allow postfix pipe to transition to procmail, but not to mailman or python. (The most common method of postfix/mailman integration is using a python script postfix-to-mailman.py.) Until this is fixed, I can't run my server in enforcing mode, because none of the mailing lists will work. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.1-2.22 (FC4) selinux-policy-2.2.15-4 (FC5test3) How reproducible: 100% Steps to Reproduce: 1. Set up targeted or strict SELinux policy with enforcing turned on 2. Install postfix and mailman 3. Install postfix-to-mailman.py script 4. Update /etc/postfix/main.cf, /etc/postfix/master.cf, and /etc/postfix/trasnport per the postfix-to-mailman.py instructions 5. Run postmap on /etc/postfix/transport to update /etc/postfix/transport.db 6. Create a mailing list in mailman 7. Send email to the mailing list submission address 8. /var/log/maillog will show that the postfix-to-mailman.py script failed to execute. /var/log/audit/audit.log will show that SELinux blocked the invocation of the script due to the postfix_pipe_t policy. Actual results: Postfix pipe can't deliver email to mailman via the python script Expected results: Postfix pipe should deliver email to mailman via the python script Additional info:
I've brought this up on the Fedora SELinux mailing list, and had some discussion with Ivan Gyurdiev: https://www.redhat.com/archives/fedora-selinux-list/2006-March/msg00000.html
Hopefully Fixed in 2.2.23-9 :^) I am allowing a transtion from postfix_pipe_t to mailman_queue_t
I'm still getting an error in Fedora Core 5 with selinux-policy-targeted-2.2.23-25: Mar 29 17:03:30 donnybrook pipe[32747]: fatal: pipe_comand: execvp /usr/lib/mailman/bin/postfix-to-mailman-2.1.py: Permission denied Mar 29 17:03:31 donnybrook postfix/pipe[32746]: 740335004E: to=<test1.com>, relay=mailman, delay=1, status=bounced (Command died with status 1:\ "/usr/lib/mailman/bin/postfix-to-mailman-2.1.py") It works fine when I turn enforcing off. Do I need to change the security context of the postfix-to-mailman-2.1.py script? Currently I have: system_u:object_r:bin_t postfix-to-mailman-2.1.py
Closing as these have been marked as modified, for a while. Feel free to reopen if not fixed