The mailing list for listmasters using Sympa

[Liam Kirsher <address@concealed>]

Hi --

Before I re-invent the wheel, I thought I would ask how other admins are
dealing with Sympa on SELinux.

I'm installing the most recent Sympa on a CentOS 5 (virtual) server. 
Sympa runs fine if I set SELinux to Permissive, but I would rather have
it set at Enforcing, which is the default.

1. I needed to install the Sympa dir in /var/www/... instead of
/home/sympa.  I did that, and it got me part of the way, however --
2. mod_fastcgi will not run!  The httpd error log shows streaming error
messages like this:
[Thu Dec 13 16:34:59 2007] [crit] (98)Address already in use: FastCGI:
can't create server "/var/www/sympa/bin/wwsympa.fcgi": bind() failed
[/tmp/fcgi_ipc/5c72a3608fa619be35c88ae7951189f9]
[Thu Dec 13 16:34:59 2007] [error] (13)Permission denied: FastCGI:
unlink() failed to remove socket file
"/tmp/fcgi_ipc/5c72a3608fa619be35c88ae7951189f9" for server
"/var/www/sympa/bin/wwsympa.fcgi"

The audit.log shows a variety of denied messages:
type=AVC msg=audit(1197497913.299:2213): avc:  denied  { ioctl } for 
pid=2618 comm="wwsympa.fcgi" name="robot.conf" dev=xvda ino=33731
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1197497913.299:2213): arch=c000003e syscall=16
success=no exit=-25 a0=4 a1=5401 a2=7fff8caa8290 a3=3 items=0 ppid=2617
pid=2618 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502
sgid=502 fsgid=502 tty=(none) comm="wwsympa.fcgi" exe="/usr/bin/perl"
subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1197497913.339:2214): avc:  denied  { getattr } for 
pid=2618 comm="wwsympa.fcgi" name="log" dev=tmpfs ino=3617
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1197497913.339:2214): arch=c000003e syscall=4
success=yes exit=0 a0=2ac0b80 a1=2888140 a2=2888140 a3=3 items=0
ppid=2617 pid=2618 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502
egid=502 sgid=502 fsgid=502 tty=(none) comm="wwsympa.fcgi"
exe="/usr/bin/perl" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC_PATH msg=audit(1197497913.339:2214):  path="/dev/log"
type=AVC msg=audit(1197497913.339:2215): avc:  denied  { write } for 
pid=2618 comm="wwsympa.fcgi" name="log" dev=tmpfs ino=3617
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file

I tried changing the selinux settings on the /tmp/fcgi_ipc directory,
but that was not enough.  It's more complicated than just that, since I
think selinux is controlling reading and writing to sockets, writing to
the log file, etc.  What's more, the actual executable is perl.  Anyway,
this is all pretty confusing. I ran audit2allow -m and got:
> module fcgi 1.0;
>
> require {
>         class file { getattr ioctl read };
>         class sock_file { create getattr setattr unlink write };
>         class unix_dgram_socket { connect create ioctl sendto write };
>         class unix_stream_socket { accept getattr ioctl };
>         type devlog_t;
>         type httpd_log_t;
>         type httpd_sys_script_t;
>         type httpd_t;
>         type httpd_tmp_t;
>         type syslogd_t;
>         type tmp_t;
>         role system_r;
> };
>
> allow httpd_sys_script_t devlog_t:sock_file { getattr write };
> allow httpd_sys_script_t httpd_log_t:file ioctl;
> allow httpd_sys_script_t self:unix_dgram_socket { connect create ioctl
> write };
> allow httpd_sys_script_t httpd_t:unix_stream_socket { accept getattr
> ioctl };
> allow httpd_sys_script_t syslogd_t:unix_dgram_socket sendto;
> allow httpd_sys_script_t tmp_t:file { getattr ioctl read };
> allow httpd_t httpd_tmp_t:sock_file { create setattr unlink write };
But I'm not sure if that will do what I want it to do.  Maybe it would
be better to create an entirely new policy for sympa rather than trying
to jigger the httpd policy...?

Has anyone created a sympa selinux policy, or can give me a pointer on
how to do it?

Liam


-- 
Liam Kirsher
PGP: http://liam.numenet.com/pgp/