Mailman and CGI scripts
Posted: Thu Oct 29, 2009 1:27 pm
I'm working on a policy for a Gentoo server with mailman. The mailman scripts run under egid 280 (mailman) from the apache user (guid/gid 81). I want to have a separate mailman group role applied to the Python scripts, to avoid adding any mailman rules to the python subject of the apache role. So far my attempts to get it working that way didn't work.
These are the definitions from the apache role policy file:
subject /usr/lib64/mailman/cgi-bin/admin o {
group_transition_allow mailman
...
}
Example denial:
grsec: From XXX: (apache:U:/usr/bin/python2.6) denied access to hidden file /var/lib/mailman/lists by /usr/bin/python2.6[python2.6:29023] uid/euid:81/81 gid/egid:280/280, parent /usr/sbin/apache2[apache2:28735] uid/euid:81/81 gid/egid:81/81
The expected behavior would be mailman group role being applied to that access. Any help or suggestions from people using mailman in a similar context will be appreciated.
These are the definitions from the apache role policy file:
subject /usr/lib64/mailman/cgi-bin/admin o {
group_transition_allow mailman
...
}
Example denial:
grsec: From XXX: (apache:U:/usr/bin/python2.6) denied access to hidden file /var/lib/mailman/lists by /usr/bin/python2.6[python2.6:29023] uid/euid:81/81 gid/egid:280/280, parent /usr/sbin/apache2[apache2:28735] uid/euid:81/81 gid/egid:81/81
The expected behavior would be mailman group role being applied to that access. Any help or suggestions from people using mailman in a similar context will be appreciated.