Bug 146890

Summary: SELinux policy prevent new list creation from web interface
Product: [Fedora] Fedora Reporter: John Dennis <jdennis>
Component: mailmanAssignee: John Dennis <jdennis>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: abarbati, benl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-14 21:45:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
python stack trace
none
avc error message in /var/log/messages none

Description John Dennis 2005-02-02 15:55:06 UTC 
The SELinux security policy prevents a new list from being created
using the web interface (note: bin/newlist works). Attached are the
mailman stack trace and the avc error message in /var/log/messages.

Note: this was originally reported by Markus Darges
<darges.de> on the mm-users mailing list.
Comment 1 John Dennis 2005-02-02 16:01:19 UTC 
Created attachment 110549 [details]
python stack trace
Comment 2 John Dennis 2005-02-02 16:01:56 UTC 
Created attachment 110550 [details]
avc error message in /var/log/messages
Comment 3 John Dennis 2005-02-02 16:04:50 UTC 
Note: short term work arounds include:

1) Disable SELinux

2) use command line interface to create lists (e.g. bin/newlist)
Comment 4 John Dennis 2005-02-03 14:33:17 UTC 
[From Markus in a private email]

But that was not the only problem between SELinux and mailman. With 
SELinux turned on I couldn't import a list of new members. I got the 
error that no usable temporary file could be found.
And I wasn't able to change the html sites:

Traceback (most recent call last):
  File "/usr/lib/mailman/scripts/driver", line 87, in run_main
    main()
  File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 123, in main
    ChangeHTML(mlist, cgidata, template_name, doc)
  File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 161, in ChangeHTML
    os.mkdir(langdir, 02775)
OSError: [Errno 13] Permission denied: '/var/lib/mailman/lists/ma1/de'
Comment 5 Alberto Barbati 2005-02-08 10:56:08 UTC 
About the problem with importing new members ("no usable temporary
directory"), I just filed bug #147466 with a workaround that does not
require SELinux to be disabled.

About this bug, the file policy.conf contains the following policy:

allow mailman_cgi_t mailman_archive_t:dir { read getattr lock search
ioctl add_name remove_name write };

in order to create a list the "create" permission is also necessary
and should be added. However, this does not seem to be enough, as
there is still a problem when Mailman tries to invoke /usr/sbin/postalias:

RuntimeError: command failed: /usr/sbin/postalias /etc/mailman/aliases
(status: 1, Operation not permitted)

audit2allow says that the problem might be fixed by adding the policy:

allow mailman_cgi_t self:unix_dgram_socket create;

however I didn't feel confident to add that, because of my ignorance
about possible repercussions.
Comment 6 John Dennis 2005-02-14 21:45:24 UTC 
fixed in latest security policy
Comment 7 Ben Levenson 2005-03-19 17:11:38 UTC 
*** Bug 151550 has been marked as a duplicate of this bug. ***