grsecurity forums

I'm working on a policy for a Gentoo server with mailman. The mailman scripts run under egid 280 (mailman) from the apache user (guid/gid 81). I want to have a separate mailman group role applied to the Python scripts, to avoid adding any mailman rules to the python subject of the apache role. So far my attempts to get it working that way didn't work.

These are the definitions from the apache role policy file:

subject /usr/lib64/mailman/cgi-bin/admin o {
group_transition_allow mailman
...
}

Example denial:
grsec: From XXX: (apache:U:/usr/bin/python2.6) denied access to hidden file /var/lib/mailman/lists by /usr/bin/python2.6[python2.6:29023] uid/euid:81/81 gid/egid:280/280, parent /usr/sbin/apache2[apache2:28735] uid/euid:81/81 gid/egid:81/81

The expected behavior would be mailman group role being applied to that access. Any help or suggestions from people using mailman in a similar context will be appreciated.

What you want to achieve isn't possible due to role hieratchy:

# Role hierarchy
# user -> group -> default
# First a user role attempts to match, if one is not found,
# a group role attempts to match, if one is not found,
# the default role is used.

But you could try to start mailman as a shebang script with #!/usr/bin/python2.6 - this would allow to handle the script as a separate subject for the same apache user role.