diff --git a/cookbooks/basics/files/default/selinux-install-module b/cookbooks/basics/files/default/selinux-install-module new file mode 100644 index 0000000..29977ad --- /dev/null +++ b/cookbooks/basics/files/default/selinux-install-module @@ -0,0 +1,24 @@ +#!/bin/sh + +# MANAGED WITH CHEF; DO NOT CHANGE BY HAND + +set -e + +if [ $# -ne 1 ]; then + echo "usage: $0 MODULE.te" + exit 1 +fi + +input="$1" + +directory=$(dirname "$input") + +cd $directory + +module=$(basename --suffix=.te "$input") + +rm -f ${module}.mod ${module}.pp + +checkmodule -M -m -o ${module}.mod ${module}.te +semodule_package -o ${module}.pp -m ${module}.mod +semodule -i ${module}.pp diff --git a/cookbooks/basics/recipes/default.rb b/cookbooks/basics/recipes/default.rb index e4748ed..96e4e4f 100644 --- a/cookbooks/basics/recipes/default.rb +++ b/cookbooks/basics/recipes/default.rb @@ -11,6 +11,18 @@ cookbook_file '/etc/selinux/config' do mode 0644 end execute 'setenforce Enforcing' +execute 'setsebool httpd_can_network_connect 1' +# directory for local type enforcements +directory '/etc/selinux/local' do + owner 'root' + group 'root' + mode '0755' +end +cookbook_file '/usr/local/bin/selinux-install-module' do + owner 'root' + group 'root' + mode '0755' +end package 'vim' package 'bash-completion' diff --git a/cookbooks/mailman/files/centos/master.cf b/cookbooks/mailman/files/centos/master.cf new file mode 100644 index 0000000..f5516ac --- /dev/null +++ b/cookbooks/mailman/files/centos/master.cf @@ -0,0 +1,128 @@ +# MANAGED WITH CHEF; DO NOT CHANGE BY HAND +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +#smtp inet n - n - 1 postscreen +#smtpd pass - - n - - smtpd +#dnsblog unix - - n - 0 dnsblog +#tlsproxy unix - - n - 0 tlsproxy +#submission inet n - n - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - n - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - n - - qmqpd +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +#maildrop unix - n n - - pipe +# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +#uucp unix - n n - - pipe +# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# ==================================================================== +# +# Other external delivery methods. +# +#ifmail unix - n n - - pipe +# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +# +#bsmtp unix - n n - - pipe +# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient +# +#scalemail-backend unix - n n - 2 pipe +# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store +# ${nexthop} ${user} ${extension} +# +mailman unix - n n - - pipe + flags=FR user=mailman:mailman argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} diff --git a/cookbooks/mailman/files/centos/postfix-to-mailman-centos.py b/cookbooks/mailman/files/centos/postfix-to-mailman-centos.py deleted file mode 100755 index 6629d02..0000000 --- a/cookbooks/mailman/files/centos/postfix-to-mailman-centos.py +++ /dev/null @@ -1,133 +0,0 @@ -#! /usr/bin/env python - -# Configuration variables - Change these for your site if necessary. -MailmanHome = "/var/lib/mailman"; # Mailman home directory. -MailmanOwner = "postmaster@example.com"; # Postmaster and abuse mail recipient. -MailmanScripts = "/usr/lib/mailman"; # Where mailman scripts reside - -# End of configuration variables. - -# postfix-to-mailman-2.1.py (to be installed as postfix-to-mailman.py) -# -# Interface mailman to a postfix with a mailman transport. Does not require -# the creation of _any_ aliases to connect lists to your mail system. -# -# Dax Kelson, dkelson@gurulabs.com, Sept 2002. -# coverted from qmail to postfix interface -# Jan 2003: Fixes for Mailman 2.1 -# Thanks to Simen E. Sandberg -# Feb 2003: Change the suggested postfix transport to support VERP -# Thanks to Henrique de Moraes Holschuh -# -# This script was originally qmail-to-mailman.py by: -# Bruce Perens, bruce@perens.com, March 1999. -# This is free software under the GNU General Public License. -# -# This script is meant to be called from ~mailman/postfix-to-mailman.py. -# It catches all mail to a virtual domain, eg "lists.example.com". -# It looks at the recipient for each mail message and decides if the mail is -# addressed to a valid list or not, and bounces the message with a helpful -# suggestion if it's not addressed to a list. It decides if it is a posting, -# a list command, or mail to the list administrator, by checking for the -# -admin, -owner, and -request addresses. It will recognize a list as soon -# as the list is created, there is no need to add _any_ aliases for any list. -# It recognizes mail to postmaster, mailman-owner, abuse, mailer-daemon, root, -# and owner, and routes those mails to MailmanOwner as defined in the -# configuration variables, above. -# -# INSTALLATION: -# -# Install this file as ~mailman/postfix-to-mailman.py -# -# To configure a virtual domain to connect to mailman, edit Postfix thusly: -# -# /etc/postfix/main.cf: -# relay_domains = ... lists.example.com -# transport_maps = hash:/etc/postfix/transport -# mailman_destination_recipient_limit = 1 -# -# /etc/postfix/transport: -# lists.example.com mailman: -# -# /etc/postfix/master.cf -# mailman unix - n n - - pipe -# flags=FR user=mailman:mailman -# argv=/var/mailman/postfix-to-mailman.py ${nexthop} ${user} -# -# -# Replace list.example.com above with the name of the domain to be connected -# to Mailman. Note that _all_ mail to that domain will go to Mailman, so you -# don't want to put the name of your main domain here. Typically a virtual -# domain lists.domain.com is used for Mailman, and domain.com for regular -# email. -# - -import sys, os, re, string - -def main(): - os.nice(5) # Handle mailing lists at non-interactive priority. - # delete this if you wish - - os.chdir(MailmanHome + "/lists") - - try: - local = sys.argv[2] - except: - # This might happen if we're not using Postfix - sys.stderr.write("LOCAL not set?\n") - sys.exit(1) - - local = string.lower(local) - local = re.sub("^mailman-","",local) - - names = ("root", "postmaster", "mailer-daemon", "mailman-owner", "owner", - "abuse") - for i in names: - if i == local: - os.execv("/usr/sbin/sendmail", - ("/usr/sbin/sendmail", MailmanOwner)) - sys.exit(0) - - type = "post" - types = (("-admin$", "admin"), - ("-owner$", "owner"), - ("-request$", "request"), - ("-bounces$", "bounces"), - ("-confirm$", "confirm"), - ("-join$", "join"), - ("-leave$", "leave"), - ("-subscribe$", "subscribe"), - ("-unsubscribe$", "unsubscribe")) - - for i in types: - if re.search(i[0],local): - type = i[1] - local = re.sub(i[0],"",local) - - if os.path.exists(local): - os.execv(MailmanScripts + "/mail/mailman", - (MailmanScripts + "/mail/mailman", type, local)) - else: - bounce() - sys.exit(75) - -def bounce(): - bounce_message = """\ -TO ACCESS THE MAILING LIST SYSTEM: Start your web browser on -http://%s/ -That web page will help you subscribe or unsubscribe, and will -give you directions on how to post to each mailing list.\n""" - sys.stderr.write(bounce_message % (sys.argv[1])) - sys.exit(1) - -try: - sys.exit(main()) -except SystemExit, argument: - sys.exit(argument) - -except Exception, argument: - info = sys.exc_info() - trace = info[2] - sys.stderr.write("%s %s\n" % (sys.exc_type, argument)) - sys.stderr.write("Line %d\n" % (trace.tb_lineno)) - sys.exit(75) # Soft failure, try again later. diff --git a/cookbooks/mailman/files/centos/postfix-to-mailman.py b/cookbooks/mailman/files/centos/postfix-to-mailman.py new file mode 100755 index 0000000..6629d02 --- /dev/null +++ b/cookbooks/mailman/files/centos/postfix-to-mailman.py @@ -0,0 +1,133 @@ +#! /usr/bin/env python + +# Configuration variables - Change these for your site if necessary. +MailmanHome = "/var/lib/mailman"; # Mailman home directory. +MailmanOwner = "postmaster@example.com"; # Postmaster and abuse mail recipient. +MailmanScripts = "/usr/lib/mailman"; # Where mailman scripts reside + +# End of configuration variables. + +# postfix-to-mailman-2.1.py (to be installed as postfix-to-mailman.py) +# +# Interface mailman to a postfix with a mailman transport. Does not require +# the creation of _any_ aliases to connect lists to your mail system. +# +# Dax Kelson, dkelson@gurulabs.com, Sept 2002. +# coverted from qmail to postfix interface +# Jan 2003: Fixes for Mailman 2.1 +# Thanks to Simen E. Sandberg +# Feb 2003: Change the suggested postfix transport to support VERP +# Thanks to Henrique de Moraes Holschuh +# +# This script was originally qmail-to-mailman.py by: +# Bruce Perens, bruce@perens.com, March 1999. +# This is free software under the GNU General Public License. +# +# This script is meant to be called from ~mailman/postfix-to-mailman.py. +# It catches all mail to a virtual domain, eg "lists.example.com". +# It looks at the recipient for each mail message and decides if the mail is +# addressed to a valid list or not, and bounces the message with a helpful +# suggestion if it's not addressed to a list. It decides if it is a posting, +# a list command, or mail to the list administrator, by checking for the +# -admin, -owner, and -request addresses. It will recognize a list as soon +# as the list is created, there is no need to add _any_ aliases for any list. +# It recognizes mail to postmaster, mailman-owner, abuse, mailer-daemon, root, +# and owner, and routes those mails to MailmanOwner as defined in the +# configuration variables, above. +# +# INSTALLATION: +# +# Install this file as ~mailman/postfix-to-mailman.py +# +# To configure a virtual domain to connect to mailman, edit Postfix thusly: +# +# /etc/postfix/main.cf: +# relay_domains = ... lists.example.com +# transport_maps = hash:/etc/postfix/transport +# mailman_destination_recipient_limit = 1 +# +# /etc/postfix/transport: +# lists.example.com mailman: +# +# /etc/postfix/master.cf +# mailman unix - n n - - pipe +# flags=FR user=mailman:mailman +# argv=/var/mailman/postfix-to-mailman.py ${nexthop} ${user} +# +# +# Replace list.example.com above with the name of the domain to be connected +# to Mailman. Note that _all_ mail to that domain will go to Mailman, so you +# don't want to put the name of your main domain here. Typically a virtual +# domain lists.domain.com is used for Mailman, and domain.com for regular +# email. +# + +import sys, os, re, string + +def main(): + os.nice(5) # Handle mailing lists at non-interactive priority. + # delete this if you wish + + os.chdir(MailmanHome + "/lists") + + try: + local = sys.argv[2] + except: + # This might happen if we're not using Postfix + sys.stderr.write("LOCAL not set?\n") + sys.exit(1) + + local = string.lower(local) + local = re.sub("^mailman-","",local) + + names = ("root", "postmaster", "mailer-daemon", "mailman-owner", "owner", + "abuse") + for i in names: + if i == local: + os.execv("/usr/sbin/sendmail", + ("/usr/sbin/sendmail", MailmanOwner)) + sys.exit(0) + + type = "post" + types = (("-admin$", "admin"), + ("-owner$", "owner"), + ("-request$", "request"), + ("-bounces$", "bounces"), + ("-confirm$", "confirm"), + ("-join$", "join"), + ("-leave$", "leave"), + ("-subscribe$", "subscribe"), + ("-unsubscribe$", "unsubscribe")) + + for i in types: + if re.search(i[0],local): + type = i[1] + local = re.sub(i[0],"",local) + + if os.path.exists(local): + os.execv(MailmanScripts + "/mail/mailman", + (MailmanScripts + "/mail/mailman", type, local)) + else: + bounce() + sys.exit(75) + +def bounce(): + bounce_message = """\ +TO ACCESS THE MAILING LIST SYSTEM: Start your web browser on +http://%s/ +That web page will help you subscribe or unsubscribe, and will +give you directions on how to post to each mailing list.\n""" + sys.stderr.write(bounce_message % (sys.argv[1])) + sys.exit(1) + +try: + sys.exit(main()) +except SystemExit, argument: + sys.exit(argument) + +except Exception, argument: + info = sys.exc_info() + trace = info[2] + sys.stderr.write("%s %s\n" % (sys.exc_type, argument)) + sys.stderr.write("Line %d\n" % (trace.tb_lineno)) + sys.exit(75) # Soft failure, try again later. diff --git a/cookbooks/mailman/files/centos/spb_mailman.te b/cookbooks/mailman/files/centos/spb_mailman.te new file mode 100644 index 0000000..9d3da39 --- /dev/null +++ b/cookbooks/mailman/files/centos/spb_mailman.te @@ -0,0 +1,15 @@ +# MANAGED WITH CHEF; DO NOT CHANGE BY HAND + +module spb_mailman 1.0; + +require { + type var_run_t; + type httpd_t; + type initrc_t; + class sock_file write; + class unix_stream_socket connectto; +} + +#============= httpd_t ============== +allow httpd_t initrc_t:unix_stream_socket connectto; +allow httpd_t var_run_t:sock_file write; diff --git a/cookbooks/mailman/files/centos/spb_postfix_mailman.te b/cookbooks/mailman/files/centos/spb_postfix_mailman.te new file mode 100644 index 0000000..e698800 --- /dev/null +++ b/cookbooks/mailman/files/centos/spb_postfix_mailman.te @@ -0,0 +1,20 @@ +# MANAGED WITH CHEF; DO NOT CHANGE BY HAND + +module spb_postfix_mailman 1.0; + +require { + type postfix_etc_t; + type mailman_log_t; + type postfix_pipe_t; + type mailman_data_t; + class dir { write remove_name getattr search add_name }; + class file { rename execute read create write getattr open append }; +} + +#============= postfix_pipe_t ============== + +allow postfix_pipe_t mailman_data_t:dir search; +allow postfix_pipe_t mailman_data_t:dir { write remove_name getattr add_name }; +allow postfix_pipe_t mailman_data_t:file { rename write getattr read create open }; +allow postfix_pipe_t mailman_log_t:file { read getattr open append }; +allow postfix_pipe_t postfix_etc_t:file execute; diff --git a/cookbooks/mailman/recipes/default.rb b/cookbooks/mailman/recipes/default.rb index dbb5213..38258f1 100644 --- a/cookbooks/mailman/recipes/default.rb +++ b/cookbooks/mailman/recipes/default.rb @@ -49,25 +49,29 @@ execute 'compile-postfix-transport' do action :nothing end -cookbook_file '/etc/postfix/postfix-to-mailman-centos.py' do +# FIXME remove this after 2015-05-01 +file '/etc/postfix/postfix-to-mailman-centos.py' do + action :delete +end + +cookbook_file '/usr/lib/mailman/bin/postfix-to-mailman.py' do owner 'root' group 'root' mode 0755 end -ruby_block 'configure-mailman-transport' do - block do - lines = [ - 'mailman unix - n n - - pipe', - ' flags=FR user=mailman:mailman', - ' argv=/etc/postfix/postfix-to-mailman-centos.py ${nexthop} ${user}', - ] - File.open('/etc/postfix/master.cf', 'a') do |f| - lines.each do |line| - f.puts line - end - end - end - only_if { !system('grep', '^mailman', '/etc/postfix/master.cf')} +####################################################################### +# SELinux: allow Postfix pipe process to write to Mailman data +####################################################################### +cookbook_file '/etc/selinux/local/spb_postfix_mailman.te' do + notifies :run, 'execute[selinux-postfix-mailman]' +end +execute 'selinux-postfix-mailman' do + command 'selinux-install-module /etc/selinux/local/spb_postfix_mailman.te' + action :nothing end +####################################################################### +cookbook_file '/etc/postfix/master.cf' do + notifies :reload, 'service[postfix]' +end diff --git a/cookbooks/mailman/recipes/webui.rb b/cookbooks/mailman/recipes/webui.rb index e63ae19..0bce035 100644 --- a/cookbooks/mailman/recipes/webui.rb +++ b/cookbooks/mailman/recipes/webui.rb @@ -8,6 +8,18 @@ end package 'fcgiwrap' package 'spawn-fcgi' +####################################################################### +# SELinux: allow nginx to connect to the fcgiwrap socket +####################################################################### +cookbook_file '/etc/selinux/local/spb_mailman.te' do + notifies :run, 'execute[selinux-mailman]' +end +execute 'selinux-mailman' do + command 'selinux-install-module /etc/selinux/local/spb_mailman.te' + action :nothing +end +####################################################################### + hostname = node['config']['lists_hostname'] template "/etc/nginx/conf.d/#{hostname}.conf" do source 'mailman.conf.erb' -- libgit2 0.21.2