Bug 465787

Summary: mailman's weekly archiving blocked by selinux
Product: [Fedora] Fedora Reporter: David Nalley <david>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-07 00:34:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Nalley 2008-10-06 12:52:08 UTC 
Description of problem: Each week mailman archives 


Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-84.fc9.noarch



How reproducible: consistently


Steps to Reproduce:
1.Install mailman and configure to process list traffic on machine with selinux enabled
2.Wait one week (or til next weekly processing

  
Actual results: Mailman continues running but ceases handling list traffic. In addition the archiving never occurs. 


Expected results: Mailman should handle the archiving, and continue processing list traffic. 


Additional info:
AVC errors received: 
Oct  6 08:00:10 uclug kernel: type=1400 audit(1223294410.786:122798): avc:  denied  { search } for  pid=10737 comm="python" name="archives" dev=dm-0 ino=196130 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 08:03:25 uclug kernel: type=1400 audit(1223294605.049:122799): avc:  denied  { search } for  pid=10737 comm="python" name="archives" dev=dm-0 ino=196130 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 08:03:26 uclug kernel: type=1400 audit(1223294606.347:122800): avc:  denied  { search } for  pid=10740 comm="python" name="archives" dev=dm-0 ino=196130 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir

Oct  6 08:11:04 uclug kernel: type=1400 audit(1223295064.721:122803): avc:  denied  { dac_override } for  pid=6809 comm="mailmanctl" capability=1 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=unconfined_u:system_r:mailman_mail_t:s0 tclass=capability
Oct  6 08:11:10 uclug kernel: type=1400 audit(1223295070.072:122804): avc:  denied  { dac_override } for  pid=6814 comm="mailmanctl" capability=1 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=unconfined_u:system_r:mailman_mail_t:s0 tclass=capability


From the .te files we ran to fix the problem:

module jlnmailmanlog 1.0;

require {
        type mailman_mail_t;
        type mailman_archive_t;
        class dir search;
}
require {
        type mailman_mail_t;
        type mailman_archive_t;
        class dir search;
}

#============= mailman_mail_t ==============


module jlnmailmanlog2 1.0;

require {
        type mailman_mail_t;
        class capability dac_override;
}
require {
        type mailman_mail_t;
        class capability dac_override;
}

#============= mailman_mail_t ==============
Comment 1 David Nalley 2008-10-06 14:10:04 UTC 
One more quick addition to get mailman's web interface to work: 

Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.549:122811): avc:  denied  { getattr } for  pid=7618 comm="python" path="/var/lib/mailman/archives/private/uclug/attachments/20080928" dev=dm-0 ino=204003 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.550:122812): avc:  denied  { getattr } for  pid=7618 comm="python" path="/var/lib/mailman/archives/private/uclug/attachments" dev=dm-0 ino=204002 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.550:122813): avc:  denied  { getattr } for  pid=7618 comm="python" path="/var/lib/mailman/archives/private/uclug" dev=dm-0ino=196660 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=unconfined_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.551:122814): avc:  denied  { getattr } for  pid=7618 comm="python" path="/var/lib/mailman/archives/private" dev=dm-0 ino=196131 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.551:122815): avc:  denied  { getattr } for  pid=7618 comm="python" path="/var/lib/mailman/archives" dev=dm-0 ino=196130 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.561:122816): avc:  denied  { search } for  pid=7618 comm="python" name="httpd" dev=dm-0 ino=89761 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.561:122817): avc:  denied  { search } for  pid=7618 comm="python" name="httpd" dev=dm-0 ino=89761 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.561:122818): avc:  denied  { add_name } for  pid=7618 comm="python" name="attachments.lock.uclug.org.7618.5" scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:21 uclug kernel: type=1400 audit(1223301321.968:122819): avc:  denied  { read append } for  pid=7615 comm="python" name="uclug.mbox" dev=dm-0 ino=196659 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=unconfined_u:object_r:mailman_archive_t:s0 tclass=file




module jlnmailmanlog4 1.0;

require {
	type mailman_mail_t;
	type mailman_archive_t;
	type httpd_config_t;
	class dir { search getattr add_name };
	class file { read append };
}
require {
	type mailman_mail_t;
	type mailman_archive_t;
	type httpd_config_t;
	class dir { search getattr add_name };
	class file { read append };
}

#============= mailman_mail_t ==============
allow mailman_mail_t httpd_config_t:dir search;
allow mailman_mail_t mailman_archive_t:dir { getattr add_name };
allow mailman_mail_t mailman_archive_t:file { read append };
You have new mail in /var/spool/mail/root
Comment 2 Daniel Walsh 2008-10-06 18:42:35 UTC 
Fixed in selinux-policy-3.3.1-95.fc9.noarch
Comment 3 David Nalley 2008-10-07 00:34:01 UTC 
Indeed this is fixed in -95 closing bug.