Mailman and CGI scripts

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Mailman and CGI scripts

Postby sumacsucks » Thu Oct 29, 2009 1:27 pm

I'm working on a policy for a Gentoo server with mailman. The mailman scripts run under egid 280 (mailman) from the apache user (guid/gid 81). I want to have a separate mailman group role applied to the Python scripts, to avoid adding any mailman rules to the python subject of the apache role. So far my attempts to get it working that way didn't work.

These are the definitions from the apache role policy file:

subject /usr/lib64/mailman/cgi-bin/admin o {
group_transition_allow mailman
...
}

Example denial:
grsec: From XXX: (apache:U:/usr/bin/python2.6) denied access to hidden file /var/lib/mailman/lists by /usr/bin/python2.6[python2.6:29023] uid/euid:81/81 gid/egid:280/280, parent /usr/sbin/apache2[apache2:28735] uid/euid:81/81 gid/egid:81/81

The expected behavior would be mailman group role being applied to that access. Any help or suggestions from people using mailman in a similar context will be appreciated.
sumacsucks
 
Posts: 5
Joined: Sat Oct 24, 2009 5:21 am

Re: Mailman and CGI scripts

Postby Grach » Thu Oct 29, 2009 9:34 pm

What you want to achieve isn't possible due to role hieratchy:
# Role hierarchy
# user -> group -> default
# First a user role attempts to match, if one is not found,
# a group role attempts to match, if one is not found,
# the default role is used.


But you could try to start mailman as a shebang script with #!/usr/bin/python2.6 - this would allow to handle the script as a separate subject for the same apache user role.
Grach
 
Posts: 66
Joined: Thu Feb 05, 2009 11:15 pm


Return to RBAC policy development