CentOS - Mar 2005 - CentOS4 SELinux and Mailman

CentOS4
SELinux enabled
selinux-policy-targeted-1.17.30-2.52.1
mailman-2.1.5-31.rhel4

When creating a new mailing list in mailman thorough the web
interface I receive the following:

OSError: [Errno 13] Permission denied:
''/var/lib/mailman/archives/private/testlist.mbox''

I seem to have run afoul of the problem with SELinux and Mailman
described in buzilla 146890. The bug report states that it is fixed
in the latest security policy (for FC3) as of February 14   Running
audit2allow provides the information given below:

# audit2allow -l -i /var/log/messages
allow httpd_t var_log_t:file { append read write };
allow mailman_cgi_t file_t:dir search;


However, I am too ignorant of SELinux to know what to do with this
and the man pages that I have found do not seem to provide me with
much in the way of direction on how to proceed.
Can someone tell me how to get this updated security policy
installed on CentOS4 or how to manually apply whatever policy
modifications are necessary?

Please send replies directly to me as well as to list please as I
get the digest.

Regards,
Jim



--
     *** e-mail is not a secure channel ***
mailto:byrnejb.<token>@harte-lyne.ca
James B. Byrne                Harte & Lyne Limited
vox: +1 905 561 1241          9 Brockley Drive
fax: +1 905 561 0757          Hamilton, Ontario
<token> = hal                 Canada L8E 3C3

On Mon, 2005-03-14 at 11:47 -0500, James B. Byrne wrote:
> allow httpd_t var_log_t:file { append read write };
> allow mailman_cgi_t file_t:dir search;
Nuh uh. These permissions are WAY too broad. Log this in the CentOS bug
tracker.

However, I realize that you can''t necessarily wait for an upstream fix.
Refer to this thread:

http://lists.caosity.org/pipermail/centos/2005-March/003270.html

--
Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
http://centos.ivazquez.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.caosity.org/pipermail/centos/attachments/20050314/46a9204c/attachment.bin

James B. Byrne wrote:
># audit2allow -l -i /var/log/messages
>allow httpd_t var_log_t:file { append read write };
>allow mailman_cgi_t file_t:dir search;
>
>
There''s a very good FAQ. Don''t take it as an offense but you
will never
learn how to work with SELinux if you don''t get the basics. There were
some posts about creating and loading new policy. Search the archives.
Those posts originated 1-2 weeks ago.
I hope it helps you in the long run.

bye,
Ago

Ignacio Vazquez-Abrams wrote:
>On Mon, 2005-03-14 at 11:47 -0500, James B. Byrne wrote:
>
>
>>allow httpd_t var_log_t:file { append read write };
>>allow mailman_cgi_t file_t:dir search;
>>Nuh uh. These permissions are WAY too broad. Log this in the CentOS bug
>>tracker.
>>
>>
Yes, you are right. It allows mailman cgis to search all the directories
with enough permission in the DAC space.
Hmm. A bug in audit2allow? I think it would be enough to allow mailman
to search the mailman related dirs and files.

bye,
Ago

On Mon, 2005-03-14 at 18:08 +0000, Deim ?goston wrote:
> Ignacio Vazquez-Abrams wrote:
> >On Mon, 2005-03-14 at 11:47 -0500, James B. Byrne wrote:
> >>allow httpd_t var_log_t:file { append read write };
> >>allow mailman_cgi_t file_t:dir search;
> >>Nuh uh. These permissions are WAY too broad. Log this in the CentOS
bug
> >>tracker.
> >>
> Yes, you are right. It allows mailman cgis to search all the directories
> with enough permission in the DAC space.
It also allows Apache full unrestricted access to /var/log.
> Hmm. A bug in audit2allow?
No, a limitation. audit2allow can only work with what gets dumped in the
log, so it can''t do file context optimization.

--
Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
http://centos.ivazquez.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.caosity.org/pipermail/centos/attachments/20050314/3d31bfd1/attachment.bin

I have stepped through the selinux authentication process with
mailman and the following work-around resolves the issue locally.
However, this or its equivalent probably should be rolled in to an
updated selinux-policy-targeted rpm for CentOS.

1.  Install selinux-policy-targeted-sources

2.  edit /etc/selinux/targeted/src/policy/domains/misc/local.te

3.  Add the following lines to local.te

allow mailman_cgi_t file_t:dir search;
allow mailman_cgi_t file_t:dir write;
allow mailman_cgi_t file_t:dir add_name;
allow mailman_cgi_t file_t:dir create;
allow mailman_cgi_t file_t:file create;
allow mailman_cgi_t file_t:file { getattr write };
allow mailman_cgi_t file_t:file read;
allow mailman_cgi_t file_t:lnk_file create;

4.  cd /etc/selinux/targeted/src/policy

5.  make reload

6.  http://<your server here>/mailman/create  now works


--
     *** e-mail is not a secure channel ***
mailto:byrnejb.<token>@harte-lyne.ca
James B. Byrne                Harte & Lyne Limited
vox: +1 905 561 1241          9 Brockley Drive
fax: +1 905 561 0757          Hamilton, Ontario
<token> = hal                 Canada L8E 3C3

> -----Original Message-----
> From: centos-bounces@caosity.org [mailto:centos-bounces@caosity.org]
On
> Behalf Of James B. Byrne
> Sent: Wednesday, March 16, 2005 1:26 PM
> To: CentOS discussion and information list
> Subject: Re: [Centos] CentOS4 SELinux and Mailman
>
> I have stepped through the selinux authentication process with
> mailman and the following work-around resolves the issue locally.
> However, this or its equivalent probably should be rolled in to an
> updated selinux-policy-targeted rpm for CentOS.
>
> 1.  Install selinux-policy-targeted-sources
>
> 2.  edit /etc/selinux/targeted/src/policy/domains/misc/local.te
>
> 3.  Add the following lines to local.te
>
> allow mailman_cgi_t file_t:dir search;
> allow mailman_cgi_t file_t:dir write;
> allow mailman_cgi_t file_t:dir add_name;
> allow mailman_cgi_t file_t:dir create;
> allow mailman_cgi_t file_t:file create;
> allow mailman_cgi_t file_t:file { getattr write };
> allow mailman_cgi_t file_t:file read;
> allow mailman_cgi_t file_t:lnk_file create;
>
> 4.  cd /etc/selinux/targeted/src/policy
>
> 5.  make reload
>
> 6.  http://<your server here>/mailman/create  now works
This brings up an important question in my mind. My understanding has
been that CentOS is a strict reproduction of RHAS, with the exception of
all RedHat specific branding, graphics, etc, excepting yum of course.
Are additions or modifications such as this made to CentOS that aren''t
in  the equivalent RHAS packages? If so, how are they tracked and are
they distinguished in the Release Notes?

Thanks!

marc

On Wed, 2005-03-16 at 13:41 -0600, Marc Powell wrote:
>
> > -----Original Message-----
> > From: centos-bounces@caosity.org [mailto:centos-bounces@caosity.org]
> On
> > Behalf Of James B. Byrne
> > Sent: Wednesday, March 16, 2005 1:26 PM
> > To: CentOS discussion and information list
> > Subject: Re: [Centos] CentOS4 SELinux and Mailman
> >
> > I have stepped through the selinux authentication process with
> > mailman and the following work-around resolves the issue locally.
> > However, this or its equivalent probably should be rolled in to an
> > updated selinux-policy-targeted rpm for CentOS.
> >
> > 1.  Install selinux-policy-targeted-sources
> >
> > 2.  edit /etc/selinux/targeted/src/policy/domains/misc/local.te
> >
> > 3.  Add the following lines to local.te
> >
> > allow mailman_cgi_t file_t:dir search;
> > allow mailman_cgi_t file_t:dir write;
> > allow mailman_cgi_t file_t:dir add_name;
> > allow mailman_cgi_t file_t:dir create;
> > allow mailman_cgi_t file_t:file create;
> > allow mailman_cgi_t file_t:file { getattr write };
> > allow mailman_cgi_t file_t:file read;
> > allow mailman_cgi_t file_t:lnk_file create;
> >
> > 4.  cd /etc/selinux/targeted/src/policy
> >
> > 5.  make reload
> >
> > 6.  http://<your server here>/mailman/create  now works
>
> This brings up an important question in my mind. My understanding has
> been that CentOS is a strict reproduction of RHAS, with the exception of
> all RedHat specific branding, graphics, etc, excepting yum of course.
> Are additions or modifications such as this made to CentOS that
aren''t
> in  the equivalent RHAS packages? If so, how are they tracked and are
> they distinguished in the Release Notes?
>
> Thanks!
>
> marc
If something is changed in CentOS-4, it will have a .centos4 in the
package name.  There is a change note in the changelog that explains
what has changed.  (The exception being the kernel, which is changed and
not labeled .centos4 because the name needs to remain the same for
compatibility.

I think that if this is a required change for mailman, it will be an FAQ
entry and a forum post and not a package change. But we may post it to
the RH bugzilla if it is applicable there.

We do not normally change packages to fix upstream bugs unless it is not
functional without the change.

Thanks for the fix though ... we need people to fix issues and provide
solutions whenever possible :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.caosity.org/pipermail/centos/attachments/20050316/d128386e/attachment.bin

On Wed, 16 Mar 2005 15:38:48 -0600, Johnny Hughes
<mailing-lists@hughesjr.com> wrote:
> On Wed, 2005-03-16 at 13:41 -0600, Marc Powell wrote:
> >
[snip]
> If something is changed in CentOS-4, it will have a .centos4 in the
> package name.  There is a change note in the changelog that explains
> what has changed.  (The exception being the kernel, which is changed and
> not labeled .centos4 because the name needs to remain the same for
> compatibility.
>
> I think that if this is a required change for mailman, it will be an FAQ
> entry and a forum post and not a package change. But we may post it to
> the RH bugzilla if it is applicable there.
>
> We do not normally change packages to fix upstream bugs unless it is not
> functional without the change.
>
> Thanks for the fix though ... we need people to fix issues and provide
> solutions whenever possible :)
>
Maybe the OP would be willing to package this and put it on DAG?

--
Leonard Isham, CISSP
Ostendo non ostento.

Johnny Hughes wrote:
>On Wed, 2005-03-16 at 13:41 -0600, Marc Powell wrote:
>
>
>>>-----Original Message-----
>>>From: centos-bounces@caosity.org [mailto:centos-bounces@caosity.org]
>>>
>>>
>>On
>>
>>
>>>Behalf Of James B. Byrne
>>>Sent: Wednesday, March 16, 2005 1:26 PM
>>>To: CentOS discussion and information list
>>>Subject: Re: [Centos] CentOS4 SELinux and Mailman
>>>
>>>I have stepped through the selinux authentication process with
>>>mailman and the following work-around resolves the issue locally.
>>>However, this or its equivalent probably should be rolled in to an
>>>updated selinux-policy-targeted rpm for CentOS.
>>>
>>>1.  Install selinux-policy-targeted-sources
>>>
>>>2.  edit /etc/selinux/targeted/src/policy/domains/misc/local.te
>>>
>>>3.  Add the following lines to local.te
>>>
>>>allow mailman_cgi_t file_t:dir search;
>>>allow mailman_cgi_t file_t:dir write;
>>>allow mailman_cgi_t file_t:dir add_name;
>>>allow mailman_cgi_t file_t:dir create;
>>>allow mailman_cgi_t file_t:file create;
>>>allow mailman_cgi_t file_t:file { getattr write };
>>>allow mailman_cgi_t file_t:file read;
>>>allow mailman_cgi_t file_t:lnk_file create;
>>>
>>>
I don''t want to complain. But if I read it clearly - and assume I do -
this opens the gate to mailman to write every file on the disks.
Wouldn''t it be muche more wise to only allow the required dirs/files?
Eg.:
allow mailman_cgi_t mailman_spool_t:file { getattr write};

etc.

Just my 0.2$.

bye,
Ago

On Wed, 2005-03-16 at 17:07 -0500, Leonard Isham wrote:
> On Wed, 16 Mar 2005 15:38:48 -0600, Johnny Hughes
> <mailing-lists@hughesjr.com> wrote:
> > On Wed, 2005-03-16 at 13:41 -0600, Marc Powell wrote:
> > >
> [snip]
> > If something is changed in CentOS-4, it will have a .centos4 in the
> > package name.  There is a change note in the changelog that explains
> > what has changed.  (The exception being the kernel, which is changed
and
> > not labeled .centos4 because the name needs to remain the same for
> > compatibility.
> >
> > I think that if this is a required change for mailman, it will be an
FAQ
> > entry and a forum post and not a package change. But we may post it to
> > the RH bugzilla if it is applicable there.
> >
> > We do not normally change packages to fix upstream bugs unless it is
not
> > functional without the change.
> >
> > Thanks for the fix though ... we need people to fix issues and provide
> > solutions whenever possible :)
> >
>
> Maybe the OP would be willing to package this and put it on DAG?
>
Or we might be able to make it a contrib rpm ...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.caosity.org/pipermail/centos/attachments/20050316/c6bd8265/attachment.bin

On  Wed, 16 Mar 2005 23:15:11 +0000 Deim ?goston <ago@lsc.hu>
> I don''t want to complain. But if I read it clearly - and assume I
> do - this opens the gate to mailman to write every file on the
> disks. Wouldn''t it be muche more wise to only allow the required
> dirs/files? Eg.:
>
> allow mailman_cgi_t mailman_spool_t:file { getattr write};
>
> etc.
On my system adding this line gives this result:

allow mailman_cgi_t mailman_spool_t:file { getattr write};
/usr/bin/checkpolicy:  error(s) encountered while parsing
configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1

Perhaps your suggested modification was incomplete? Are there
contingent alterations required elesewhere to get this to work?

My original note provided the means to successfully allow mailman
to create lists within SELinux as shipped on CentOS4.  It is
incomplete however in that other mailman web based functionality
remains impaired or inoperative.  I am attempting to determine if
which are strictly SELinux issues and which are simple httpd.conf
issues.

It appears that to access web archives the following lines are also
necessary in local.te:

allow httpd_t file_t:dir { getattr search };
allow httpd_t file_t:lnk_file { getattr read };

So the entire setup for mailman in
/etc/selinux/targeted/src/policy/domains/misc/local.te presently
looks like this:

allow mailman_cgi_t file_t:dir search;
allow mailman_cgi_t file_t:dir write;
allow mailman_cgi_t file_t:dir add_name;
allow mailman_cgi_t file_t:dir create;
allow mailman_cgi_t file_t:file create;
allow mailman_cgi_t file_t:file { getattr write};
allow mailman_cgi_t file_t:file read;
allow mailman_cgi_t file_t:lnk_file create;
allow httpd_t file_t:dir { getattr search };
allow httpd_t file_t:lnk_file { getattr read };


Regards,
Jim

--
     *** e-mail is not a secure channel ***
mailto:byrnejb.<token>@harte-lyne.ca
James B. Byrne                Harte & Lyne Limited
vox: +1 905 561 1241          9 Brockley Drive
fax: +1 905 561 0757          Hamilton, Ontario
<token> = hal                 Canada L8E 3C3