Bug 484328

Summary: Policy prevents mailman from reading Mailman python files
Product: [Fedora] Fedora Reporter: Derek Atkins <warlord>
Component: mailmanAssignee: Daniel Novotny <dnovotny>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: dnovotny
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-12 14:44:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Derek Atkins 2009-02-06 03:41:11 UTC 
Description of problem:

Running Fedora-10, I installed mailman, performed a minimal configuration, and then when I tried to run it I got an SELinux violation.  In particular, mailmanctl (mailman_mail_t) could not write to "./Mailman" (lib_t).  And indeed, ls -lZ /usr/lib/mailman/Mailman gives:

   system_u:object_r:lib_t:s0


Version-Release number of selected component (if applicable):

mailman-2.1.11-3.fc10.i386
selinux-policy-targeted-3.5.13-40.fc10.noarch

How reproducible:

Seems to be 100%

Steps to Reproduce:
1. yum install mailman
2. /etc/init.d/mailman start
3. watch the audit logs
  
Actual results:

Mailman seems to fail.

Expected results:

Mailman should work.

Additional info:
Comment 1 Derek Atkins 2009-02-06 03:45:21 UTC 
Actually, I think the problem is that I modified /usr/lib/mailman/Mailman/mm_cfg.py as per the mailman instructions to contain my local configuration and this failure is that mailman cannot WRITE to the directory to write out the new compiled pyc file.
Comment 2 Daniel Walsh 2009-02-06 18:47:49 UTC 
The problem here  is python is trying to write optimized code.

You can just execute 

python /usr/lib/mailman/Mailman/mm_cfg.py 

And that should write the code and then mailman will no longer try to write the code.
Comment 3 Daniel Walsh 2009-02-06 18:51:52 UTC 
The real problem here is the cfg file being python.
Comment 4 Derek Atkins 2009-02-06 19:22:32 UTC 
Unfortunately running:

python /usr/lib/mailman/Mailman/mm_cfg.py 

did not write out a python /usr/lib/mailman/Mailman/mm_cfg.pyc or python /usr/lib/mailman/Mailman/mm_cfg.pyo

Yes, it would be nicer if the cfg file wasn't python, but that's a different issue.
Comment 5 Derek Atkins 2009-02-06 19:43:48 UTC 
Aha, but this worked:

python -c 'import py_compile; py_compile.compile("/usr/lib/mailman/Mailman/mm_cfg.py")'
Comment 6 Daniel Novotny 2009-02-12 14:44:51 UTC 
OK, I created a script "mailman-update-cfg" with the contents of Comment #5 and left a note in "mm_cfg.py", that if you use SELinux, you have to run this script as root after you change the file