1mailman_mail_selinux(8) SELinux Policy mailman_mail mailman_mail_selinux(8)
2
3
4
6 mailman_mail_selinux - Security Enhanced Linux Policy for the mail‐
7 man_mail processes
8
10 Security-Enhanced Linux secures the mailman_mail processes via flexible
11 mandatory access control.
12
13 The mailman_mail processes execute with the mailman_mail_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep mailman_mail_t
20
21
22
24 The mailman_mail_t SELinux type can be entered via the mail‐
25 man_mail_exec_t file type.
26
27 The default entrypoint paths for the mailman_mail_t domain are the fol‐
28 lowing:
29
30 /usr/mailman.*/mail/wrapper, /usr/lib/mailman.*/mail/mailman,
31 /usr/lib/mailman.*/mail/wrapper, /usr/lib/mailman.*/bin/mailmanctl,
32 /usr/lib/mailman.*/scripts/mailman, /usr/lib/mailman.*/bin/mm-han‐
33 dler.*, /usr/share/doc/mailman.*/mm-handler.*, /usr/lib/mailman/bin/mm-
34 handler.*, /usr/lib/mailman/mail/mailman, /usr/lib/mailman/bin/mail‐
35 manctl
36
38 SELinux defines process types (domains) for each process running on the
39 system
40
41 You can see the context of a process using the -Z option to ps
42
43 Policy governs the access confined processes have to files. SELinux
44 mailman_mail policy is very flexible allowing users to setup their
45 mailman_mail processes in as secure a method as possible.
46
47 The following process types are defined for mailman_mail:
48
49 mailman_mail_t
50
51 Note: semanage permissive -a mailman_mail_t can be used to make the
52 process type mailman_mail_t permissive. SELinux does not deny access to
53 permissive process types, but the AVC (SELinux denials) messages are
54 still generated.
55
56
58 SELinux policy is customizable based on least access required. mail‐
59 man_mail policy is extremely flexible and has several booleans that
60 allow you to manipulate the policy and run mailman_mail with the tight‐
61 est access possible.
62
63
64
65 If you want to allow users to resolve user passwd entries directly from
66 ldap rather then using a sssd server, you must turn on the authlo‐
67 gin_nsswitch_use_ldap boolean. Disabled by default.
68
69 setsebool -P authlogin_nsswitch_use_ldap 1
70
71
72
73 If you want to allow all domains to execute in fips_mode, you must turn
74 on the fips_mode boolean. Enabled by default.
75
76 setsebool -P fips_mode 1
77
78
79
80 If you want to allow confined applications to run with kerberos, you
81 must turn on the kerberos_enabled boolean. Enabled by default.
82
83 setsebool -P kerberos_enabled 1
84
85
86
87 If you want to allow system to run with NIS, you must turn on the
88 nis_enabled boolean. Disabled by default.
89
90 setsebool -P nis_enabled 1
91
92
93
94 If you want to allow confined applications to use nscd shared memory,
95 you must turn on the nscd_use_shm boolean. Disabled by default.
96
97 setsebool -P nscd_use_shm 1
98
99
100
102 The SELinux process type mailman_mail_t can manage files labeled with
103 the following file types. The paths listed are the default paths for
104 these file types. Note the processes UID still need to have DAC per‐
105 missions.
106
107 anon_inodefs_t
108
109
110 cluster_conf_t
111
112 /etc/cluster(/.*)?
113
114 cluster_var_lib_t
115
116 /var/lib/pcsd(/.*)?
117 /var/lib/cluster(/.*)?
118 /var/lib/openais(/.*)?
119 /var/lib/pengine(/.*)?
120 /var/lib/corosync(/.*)?
121 /usr/lib/heartbeat(/.*)?
122 /var/lib/heartbeat(/.*)?
123 /var/lib/pacemaker(/.*)?
124
125 cluster_var_run_t
126
127 /var/run/crm(/.*)?
128 /var/run/cman_.*
129 /var/run/rsctmp(/.*)?
130 /var/run/aisexec.*
131 /var/run/heartbeat(/.*)?
132 /var/run/corosync-qnetd(/.*)?
133 /var/run/corosync-qdevice(/.*)?
134 /var/run/corosync.pid
135 /var/run/cpglockd.pid
136 /var/run/rgmanager.pid
137 /var/run/cluster/rgmanager.sk
138
139 fusefs_t
140
141 /var/run/user/[^/]*/gvfs
142
143 mailman_archive_t
144
145 /var/lib/mailman.*/archives(/.*)?
146
147 mailman_data_t
148
149 /etc/mailman.*
150 /var/lib/mailman(/.*)?
151 /var/spool/mailman.*
152
153 mailman_lock_t
154
155 /var/lock/mailman.*
156 /var/lock/subsys/mailman.*
157
158 mailman_log_t
159
160 /var/log/mailman.*
161
162 mailman_mail_tmp_t
163
164
165 mailman_var_run_t
166
167 /var/run/mailman.*
168
169 root_t
170
171 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
172 /
173 /initrd
174
175
177 SELinux requires files to have an extended attribute to define the file
178 type.
179
180 You can see the context of a file using the -Z option to ls
181
182 Policy governs the access confined processes have to these files.
183 SELinux mailman_mail policy is very flexible allowing users to setup
184 their mailman_mail processes in as secure a method as possible.
185
186 STANDARD FILE CONTEXT
187
188 SELinux defines the file context types for the mailman_mail, if you
189 wanted to store files with these types in a diffent paths, you need to
190 execute the semanage command to sepecify alternate labeling and then
191 use restorecon to put the labels on disk.
192
193 semanage fcontext -a -t mailman_mail_tmp_t '/srv/mymailman_mail_con‐
194 tent(/.*)?'
195 restorecon -R -v /srv/mymailman_mail_content
196
197 Note: SELinux often uses regular expressions to specify labels that
198 match multiple files.
199
200 The following file types are defined for mailman_mail:
201
202
203
204 mailman_mail_exec_t
205
206 - Set files with the mailman_mail_exec_t type, if you want to transi‐
207 tion an executable to the mailman_mail_t domain.
208
209
210 Paths:
211 /usr/mailman.*/mail/wrapper, /usr/lib/mailman.*/mail/mailman,
212 /usr/lib/mailman.*/mail/wrapper, /usr/lib/mailman.*/bin/mail‐
213 manctl, /usr/lib/mailman.*/scripts/mailman, /usr/lib/mail‐
214 man.*/bin/mm-handler.*, /usr/share/doc/mailman.*/mm-handler.*,
215 /usr/lib/mailman/bin/mm-handler.*, /usr/lib/mailman/mail/mailman,
216 /usr/lib/mailman/bin/mailmanctl
217
218
219 mailman_mail_tmp_t
220
221 - Set files with the mailman_mail_tmp_t type, if you want to store
222 mailman mail temporary files in the /tmp directories.
223
224
225
226 Note: File context can be temporarily modified with the chcon command.
227 If you want to permanently change the file context you need to use the
228 semanage fcontext command. This will modify the SELinux labeling data‐
229 base. You will need to use restorecon to apply the labels.
230
231
233 semanage fcontext can also be used to manipulate default file context
234 mappings.
235
236 semanage permissive can also be used to manipulate whether or not a
237 process type is permissive.
238
239 semanage module can also be used to enable/disable/install/remove pol‐
240 icy modules.
241
242 semanage boolean can also be used to manipulate the booleans
243
244
245 system-config-selinux is a GUI tool available to customize SELinux pol‐
246 icy settings.
247
248
250 This manual page was auto-generated using sepolicy manpage .
251
252
254 selinux(8), mailman_mail(8), semanage(8), restorecon(8), chcon(1),
255 sepolicy(8), setsebool(8)
256
257
258
259mailman_mail 19-06-18 mailman_mail_selinux(8)