Re: [PATCH] mailman3 V2.1

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org, Chris PeBenito <pebenito@ieee.org>
Subject: Re: [PATCH] mailman3 V2.1
Date: Wed, 09 Mar 2022 15:53:57 +1100	[thread overview]
Message-ID: <1846899.oGztph3vmi@xev> (raw)
In-Reply-To: <e4934027-8b31-3218-e9f1-5e9c5aacbda1@ieee.org>

On Tuesday, 1 March 2022 08:01:02 AEDT Chris PeBenito wrote:
> > +# need SELinuxContext=system_u:system_r:mailman_cgi_t:s0 in the systemd
> > +# service file for the correct context on running /usr/bin/uwsgi for
> > +# mailman3-web
> > +corecmd_bin_entry_type(mailman_cgi_t)
> 
> Why can't the label be changed for uwsgi?

Because uwsgi is a service program that may be used by many daemons.

> >   allow mailman_mail_t self:capability { dac_override kill setgid setuid
> >   sys_tty_config };> 
> > -allow mailman_mail_t self:process { signal signull setsched };
> > +allow mailman_mail_t self:process { execmem signal signull setsched };
> 
> Any idea why the execmem is hit?

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913544

Mailman is mostly Python and function pointers in Python needs execmem, this 
is used by the openssl Python library among other things.

> > Index: refpolicy-2.20220219/policy/modules/system/systemd.te
> > ===================================================================
> > --- refpolicy-2.20220219.orig/policy/modules/system/systemd.te
> > +++ refpolicy-2.20220219/policy/modules/system/systemd.te
> > @@ -1796,6 +1796,10 @@ optional_policy(`
> > 
> >   ')
> >   
> >   optional_policy(`
> > 
> > +	mailman_manage_lockdir(systemd_tmpfiles_t)
> 
> There should be a systemd_tmpfilesd_managed(mailman_lock_t) in mailman.te
> instead.

OK, I'll make a new version with that change.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

     prev parent reply	other threads:[~2022-03-09  4:54 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-19 10:34 [PATCH] mailman3 V2.1 Russell Coker
2022-02-28 21:01 ` Chris PeBenito
2022-03-09  4:53   ` Russell Coker [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1846899.oGztph3vmi@xev \
    --to=russell@coker.com.au \
    --cc=pebenito@ieee.org \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.