mailman_mail_selinux(8)

1mailman_mail_selinux(8)   SELinux Policy mailman_mail  mailman_mail_selinux(8)
2
3
4

NAME

6       mailman_mail_selinux  -  Security  Enhanced  Linux Policy for the mail‐
7       man_mail processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the mailman_mail processes via flexible
11       mandatory access control.
12
13       The  mailman_mail  processes  execute  with  the mailman_mail_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mailman_mail_t
20
21
22

ENTRYPOINTS

24       The   mailman_mail_t   SELinux  type  can  be  entered  via  the  mail‐
25       man_mail_exec_t file type.
26
27       The default entrypoint paths for the mailman_mail_t domain are the fol‐
28       lowing:
29
30       /usr/mailman.*/mail/wrapper,           /usr/lib/mailman.*/mail/mailman,
31       /usr/lib/mailman.*/mail/wrapper,     /usr/lib/mailman.*/bin/mailmanctl,
32       /usr/lib/mailman.*/scripts/mailman,      /usr/lib/mailman.*/bin/mm-han‐
33       dler.*, /usr/share/doc/mailman.*/mm-handler.*, /usr/lib/mailman/bin/mm-
34       handler.*, /usr/lib/mailman/bin/mailmanctl
35

PROCESS TYPES

37       SELinux defines process types (domains) for each process running on the
38       system
39
40       You can see the context of a process using the -Z option to ps
41
42       Policy governs the access confined processes have  to  files.   SELinux
43       mailman_mail  policy  is  very  flexible  allowing users to setup their
44       mailman_mail processes in as secure a method as possible.
45
46       The following process types are defined for mailman_mail:
47
48       mailman_mail_t
49
50       Note: semanage permissive -a mailman_mail_t can be  used  to  make  the
51       process type mailman_mail_t permissive. SELinux does not deny access to
52       permissive process types, but the AVC (SELinux  denials)  messages  are
53       still generated.
54
55

BOOLEANS

57       SELinux  policy  is customizable based on least access required.  mail‐
58       man_mail policy is extremely flexible and  has  several  booleans  that
59       allow you to manipulate the policy and run mailman_mail with the tight‐
60       est access possible.
61
62
63
64       If you want to allow users to resolve user passwd entries directly from
65       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
66       gin_nsswitch_use_ldap boolean. Disabled by default.
67
68       setsebool -P authlogin_nsswitch_use_ldap 1
69
70
71
72       If you want to allow all domains to execute in fips_mode, you must turn
73       on the fips_mode boolean. Enabled by default.
74
75       setsebool -P fips_mode 1
76
77
78
79       If  you  want  to allow confined applications to run with kerberos, you
80       must turn on the kerberos_enabled boolean. Enabled by default.
81
82       setsebool -P kerberos_enabled 1
83
84
85
86       If you want to allow system to run with  NIS,  you  must  turn  on  the
87       nis_enabled boolean. Disabled by default.
88
89       setsebool -P nis_enabled 1
90
91
92
93       If  you  want to allow confined applications to use nscd shared memory,
94       you must turn on the nscd_use_shm boolean. Disabled by default.
95
96       setsebool -P nscd_use_shm 1
97
98
99

MANAGED FILES

101       The SELinux process type mailman_mail_t can manage files  labeled  with
102       the  following  file types.  The paths listed are the default paths for
103       these file types.  Note the processes UID still need to have  DAC  per‐
104       missions.
105
106       anon_inodefs_t
107
108
109       cluster_conf_t
110
111            /etc/cluster(/.*)?
112
113       cluster_var_lib_t
114
115            /var/lib/pcsd(/.*)?
116            /var/lib/cluster(/.*)?
117            /var/lib/openais(/.*)?
118            /var/lib/pengine(/.*)?
119            /var/lib/corosync(/.*)?
120            /usr/lib/heartbeat(/.*)?
121            /var/lib/heartbeat(/.*)?
122            /var/lib/pacemaker(/.*)?
123
124       cluster_var_run_t
125
126            /var/run/crm(/.*)?
127            /var/run/cman_.*
128            /var/run/rsctmp(/.*)?
129            /var/run/aisexec.*
130            /var/run/heartbeat(/.*)?
131            /var/run/corosync-qnetd(/.*)?
132            /var/run/corosync-qdevice(/.*)?
133            /var/run/corosync.pid
134            /var/run/cpglockd.pid
135            /var/run/rgmanager.pid
136            /var/run/cluster/rgmanager.sk
137
138       fusefs_t
139
140            /var/run/user/[^/]*/gvfs
141
142       mailman_archive_t
143
144            /var/lib/mailman.*/archives(/.*)?
145
146       mailman_data_t
147
148            /etc/mailman.*
149            /var/lib/mailman(/.*)?
150            /var/spool/mailman.*
151
152       mailman_lock_t
153
154            /var/lock/mailman.*
155            /var/lock/subsys/mailman.*
156
157       mailman_log_t
158
159            /var/log/mailman.*
160
161       mailman_mail_tmp_t
162
163
164       mailman_var_run_t
165
166            /var/run/mailman.*
167
168       root_t
169
170            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
171            /
172            /initrd
173
174

FILE CONTEXTS

176       SELinux requires files to have an extended attribute to define the file
177       type.
178
179       You can see the context of a file using the -Z option to ls
180
181       Policy governs the access  confined  processes  have  to  these  files.
182       SELinux  mailman_mail  policy  is very flexible allowing users to setup
183       their mailman_mail processes in as secure a method as possible.
184
185       STANDARD FILE CONTEXT
186
187       SELinux defines the file context types for  the  mailman_mail,  if  you
188       wanted  to store files with these types in a diffent paths, you need to
189       execute the semanage command to sepecify alternate  labeling  and  then
190       use restorecon to put the labels on disk.
191
192       semanage  fcontext  -a  -t mailman_mail_tmp_t '/srv/mymailman_mail_con‐
193       tent(/.*)?'
194       restorecon -R -v /srv/mymailman_mail_content
195
196       Note: SELinux often uses regular expressions  to  specify  labels  that
197       match multiple files.
198
199       The following file types are defined for mailman_mail:
200
201
202
203       mailman_mail_exec_t
204
205       -  Set  files with the mailman_mail_exec_t type, if you want to transi‐
206       tion an executable to the mailman_mail_t domain.
207
208
209       Paths:
210            /usr/mailman.*/mail/wrapper,      /usr/lib/mailman.*/mail/mailman,
211            /usr/lib/mailman.*/mail/wrapper,      /usr/lib/mailman.*/bin/mail‐
212            manctl,     /usr/lib/mailman.*/scripts/mailman,     /usr/lib/mail‐
213            man.*/bin/mm-handler.*,     /usr/share/doc/mailman.*/mm-handler.*,
214            /usr/lib/mailman/bin/mm-handler.*, /usr/lib/mailman/bin/mailmanctl
215
216
217       mailman_mail_tmp_t
218
219       - Set files with the mailman_mail_tmp_t type,  if  you  want  to  store
220       mailman mail temporary files in the /tmp directories.
221
222
223
224       Note:  File context can be temporarily modified with the chcon command.
225       If you want to permanently change the file context you need to use  the
226       semanage fcontext command.  This will modify the SELinux labeling data‐
227       base.  You will need to use restorecon to apply the labels.
228
229

COMMANDS

231       semanage fcontext can also be used to manipulate default  file  context
232       mappings.
233
234       semanage  permissive  can  also  be used to manipulate whether or not a
235       process type is permissive.
236
237       semanage module can also be used to enable/disable/install/remove  pol‐
238       icy modules.
239
240       semanage boolean can also be used to manipulate the booleans
241
242
243       system-config-selinux is a GUI tool available to customize SELinux pol‐
244       icy settings.
245
246

AUTHOR

248       This manual page was auto-generated using sepolicy manpage .
249
250