CentOS - Mar 2005 - Setting up Mailman with SELinux on CentOS4 revised

I stepped through the (entire?) selinux authentication process with
mailman using audit2allow and the following work-around resolves
the issue locally. However, the local.te policies that result, or
their more restrictive equivalents, probably should be rolled in to
an updated selinux-policy-targeted rpm for CentOS or submitted to
the upstream maintainers for inclusion with the base.

1.	Install selinux-policy-targeted-sources

2.	Attempt to create a mailing list using mailman web interface.

3.	Run # audit2allow -l -i /var/log/messages

4.	Record policy change and edit:
		/etc/selinux/targeted/src/policy/domains/misc/local.te
	appropriately.

4.	cd /etc/selinux/targeted/src/policy

5.	make reload

6.	Iterate steps 2 to 5 until step 2 works.  In our case this
process required the following lines added to local.te

# needed to create a mailman list through web interface
allow mailman_cgi_t file_t:dir search;
allow mailman_cgi_t file_t:dir write;
allow mailman_cgi_t file_t:dir add_name;
allow mailman_cgi_t file_t:dir create;
allow mailman_cgi_t file_t:file create;
allow mailman_cgi_t file_t:file { getattr write };
allow mailman_cgi_t file_t:file read;
allow mailman_cgi_t file_t:lnk_file create;
# needed to allow web access to mailman archives
allow httpd_t file_t:dir { getattr search };
allow httpd_t file_t:lnk_file { getattr read };
allow httpd_t file_t:dir read;
allow httpd_t file_t:file getattr;
allow httpd_t file_t:file read;

7.  http://<your server here>/mailman/create now works and web
archives are available to view (presuming that you have properly
reconfigured /etc/httpd/conf.d/mailman.conf for your mailman
server.


--
     *** e-mail is not a secure channel ***
mailto:byrnejb.<token>@harte-lyne.ca
James B. Byrne                Harte & Lyne Limited
vox: +1 905 561 1241          9 Brockley Drive
fax: +1 905 561 0757          Hamilton, Ontario
<token> = hal                 Canada L8E 3C3

James B. Byrne wrote:
> 3.	Run # audit2allow -l -i /var/log/messages
The problem with audit2allow is that it usually tells you to open system
way too much.  It kind of beats the purpuse of having SELinux enabled on
the machine.

What you should do instead is to check what file contexts mailman_cgi_t
is allowed to access, and set the target files to one of those contexts.
  If the files are created on-the-fly by mailman, than set the context
to parent directory, and the files will inherit it when created.  If
there''s no pre-existing file context that fits the purpuse,
you''ll need
to create a new one, assign files/directories to it, and allow access
from mailman_cgi_t to them.

--
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

James B. Byrne wrote:
>I stepped through the (entire?) selinux authentication process with
>mailman using audit2allow and the following work-around resolves
>the issue locally. However, the local.te policies that result, or
>their more restrictive equivalents, probably should be rolled in to
>an updated selinux-policy-targeted rpm for CentOS or submitted to
>the upstream maintainers for inclusion with the base.
>
>1.	Install selinux-policy-targeted-sources
>
>2.	Attempt to create a mailing list using mailman web interface.
>
>3.	Run # audit2allow -l -i /var/log/messages
>
>4.	Record policy change and edit:
>		/etc/selinux/targeted/src/policy/domains/misc/local.te
>	appropriately.
>
>4.	cd /etc/selinux/targeted/src/policy
>
>5.	make reload
>
>6.	Iterate steps 2 to 5 until step 2 works.  In our case this
>process required the following lines added to local.te
>
># needed to create a mailman list through web interface
>allow mailman_cgi_t file_t:dir search;
>allow mailman_cgi_t file_t:dir write;
>allow mailman_cgi_t file_t:dir add_name;
>allow mailman_cgi_t file_t:dir create;
>allow mailman_cgi_t file_t:file create;
>allow mailman_cgi_t file_t:file { getattr write };
>allow mailman_cgi_t file_t:file read;
>allow mailman_cgi_t file_t:lnk_file create;
># needed to allow web access to mailman archives
>allow httpd_t file_t:dir { getattr search };
>allow httpd_t file_t:lnk_file { getattr read };
>allow httpd_t file_t:dir read;
>allow httpd_t file_t:file getattr;
>allow httpd_t file_t:file read;
>
>
Man. You open your system to everyone who cracks apache server.  Open
for reading but that''s enough. OK, there are DAC rules too but
that''s
too open.

Maybe one of us should create a mailman policy. I will look what can I
do on weekend - Saturday will be working day in Hungary this weekend so
if I don''t manage to find time in Sunday don''t wait for me.

bye,
Ago