Bug 146890
Summary: | SELinux policy prevent new list creation from web interface | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Dennis <jdennis> | ||||||
Component: | mailman | Assignee: | John Dennis <jdennis> | ||||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 3 | CC: | abarbati, benl | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2005-02-14 21:45:24 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
John Dennis
2005-02-02 15:55:06 UTC
Created attachment 110549 [details]
python stack trace
Created attachment 110550 [details]
avc error message in /var/log/messages
Note: short term work arounds include: 1) Disable SELinux 2) use command line interface to create lists (e.g. bin/newlist) [From Markus in a private email] But that was not the only problem between SELinux and mailman. With SELinux turned on I couldn't import a list of new members. I got the error that no usable temporary file could be found. And I wasn't able to change the html sites: Traceback (most recent call last): File "/usr/lib/mailman/scripts/driver", line 87, in run_main main() File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 123, in main ChangeHTML(mlist, cgidata, template_name, doc) File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 161, in ChangeHTML os.mkdir(langdir, 02775) OSError: [Errno 13] Permission denied: '/var/lib/mailman/lists/ma1/de' About the problem with importing new members ("no usable temporary directory"), I just filed bug #147466 with a workaround that does not require SELinux to be disabled. About this bug, the file policy.conf contains the following policy: allow mailman_cgi_t mailman_archive_t:dir { read getattr lock search ioctl add_name remove_name write }; in order to create a list the "create" permission is also necessary and should be added. However, this does not seem to be enough, as there is still a problem when Mailman tries to invoke /usr/sbin/postalias: RuntimeError: command failed: /usr/sbin/postalias /etc/mailman/aliases (status: 1, Operation not permitted) audit2allow says that the problem might be fixed by adding the policy: allow mailman_cgi_t self:unix_dgram_socket create; however I didn't feel confident to add that, because of my ignorance about possible repercussions. fixed in latest security policy *** Bug 151550 has been marked as a duplicate of this bug. *** |