Bug 430639

Summary: Stopping mailman causes Permission denied and AVC
Product: Red Hat Enterprise Linux 5 Reporter: Michal Nowak <mnowak>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 5.2CC: ohudlick
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0465 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 16:06:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Nowak 2008-01-29 09:40:32 UTC 
Description of problem:

Stopping service mailman causes "Permission denied" and AVC.

Version-Release number of selected component (if applicable):

(both recent - to be in RHEL-5.2.0)

mailman-2.1.9-4.el5.ia64
selinux-policy-2.4.6-116.el5.noarch

Actual results: AVC

Expected results: Stopped mailman, no processes running


AVC:

.qa.[root@ia64-5s-1-m1 tps]# /etc/init.d/mailman start
Starting mailman:                                          [  OK  ]

.qa.[root@ia64-5s-1-m1 tps]# /etc/init.d/mailman stop
Shutting down mailman: Traceback (most recent call last):
  File "/usr/lib/mailman/bin/mailmanctl", line 607, in ?
    main()
  File "/usr/lib/mailman/bin/mailmanctl", line 404, in main
    kill_watcher(signal.SIGTERM)
  File "/usr/lib/mailman/bin/mailmanctl", line 160, in kill_watcher
    os.kill(pid, sig)
OSError: [Errno 13] Permission denied
                                                           [FAILED]

.qa.[root@ia64-5s-1-m1 tps]# ausearch -m avc -ts recent
----
time->Tue Jan 29 04:22:18 2008
type=SYSCALL msg=audit(1201598538.441:41829): arch=c0000032 syscall=1053
success=no exit=-13 a0=460 a1=f a2=60000ffffffe353c a3=60000ffffffe3538 items=0
ppid=1139 pid=1140 auid=0 uid=41 gid=41 euid=41 suid=41 fsuid=41 egid=41 sgid=41
fsgid=41 tty=pts2 comm="mailmanctl" exe="/usr/bin/python"
subj=root:system_r:mailman_mail_t:s0 key=(null)
type=AVC msg=audit(1201598538.441:41829): avc:  denied  { signal } for  pid=1140
comm="mailmanctl" scontext=root:system_r:mailman_mail_t:s0
tcontext=root:system_r:mailman_mail_t:s0 tclass=process

.qa.[root@ia64-5s-1-m1 tps]# ps aux | grep python
mailman   1120  0.0  0.1  81696 10544 ?        Ss   04:21   0:00 /usr/bin/python
/usr/lib/mailman/bin/mailmanctl -s -q start
mailman   1126  0.1  0.1  81536 15056 ?        S    04:21   0:00 /usr/bin/python
/usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
mailman   1127  0.1  0.1  81648 15120 ?        S    04:21   0:00 /usr/bin/python
/usr/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s
mailman   1128  0.1  0.1  81504 15088 ?        S    04:21   0:00 /usr/bin/python
/usr/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s
mailman   1129  0.1  0.1  81552 15072 ?        S    04:21   0:00 /usr/bin/python
/usr/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s
mailman   1130  0.1  0.1  81520 15104 ?        S    04:21   0:00 /usr/bin/python
/usr/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s
mailman   1131  0.1  0.1  81616 15216 ?        S    04:21   0:00 /usr/bin/python
/usr/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s
mailman   1132  0.1  0.1  81520 15072 ?        S    04:21   0:00 /usr/bin/python
/usr/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s
mailman   1133  0.1  0.1  81520 15056 ?        S    04:21   0:00 /usr/bin/python
/usr/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
root      1181  0.0  0.0  61280  1776 pts/2    S+   04:25   0:00 grep python
root      2930  0.0  0.0  75056  3616 ?        S<s  Jan20   0:04 python
/sbin/audispd
root      3436  0.0  0.0  82192  2784 ?        S    Jan20   0:00 python ./hpssd.py
root     28571  0.0  0.1 147344 10640 ?        S    Jan22   0:07 /usr/bin/python
-E /usr/bin/sealert -s

.qa.[root@ia64-5s-1-m1 tps]# fixfiles -R mailman check


Note:

mailman-2.1.9-2.ia64 is OK in stopping, this AVC is probably caused by the
change of way of starting in init script.
Comment 1 Daniel Walsh 2008-01-29 14:39:50 UTC 
Yes this is caused by the upgrade to a newer version.

Fixed in selinux-policy-2.4.6-117.el5

So we are going to need this bug approved to get this package into the errata.
Comment 2 RHEL Program Management 2008-01-29 14:45:25 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Michal Nowak 2008-01-30 07:48:27 UTC 
Thanks for, as usual, quick response. Confirmed working.
Comment 8 errata-xmlrpc 2008-05-21 16:06:38 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html