Bug 730624

Summary:	mailman AVCs with unconfined disabled.
Product:	[Fedora] Fedora	Reporter:	Robin Powell <rlpowell>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	15	CC:	dominick.grift, dwalsh, mgrepl
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	selinux-policy-3.9.16-48.fc15	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-12-04 02:34:11 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Robin Powell 2011-08-15 06:44:17 UTC

This is audit2allow version of the AVCs that come up when doing "/etc/init.d/mailman restart" with unconfined disabled.

Comments in the fix should explain what it needs them for, where I'm aware.


#============= initrc_t ==============
# Allow writing of /usr/lib/mailman/Mailman/mm_cfg.pyc
allow initrc_t lib_t:file write;

#============= init_t ==============
allow init_t mailman_lock_t:file { read getattr open };

#============= initrc_t ==============
allow initrc_t mailman_queue_exec_t:file write;

# Allow writing of /etc/cron.d/mailman, which is blank when mailman
# is off but full of stuff when mailman is on, and written by the
# /etc/init.d script
allow initrc_t system_cron_spool_t:dir { write remove_name add_name };
allow initrc_t system_cron_spool_t:file { write setattr relabelfrom relabelto create unlink open };

Comment 1 Daniel Walsh 2011-08-15 10:54:55 UTC

Could you attach the AVC log files for this?

Comment 2 Robin Powell 2011-08-21 03:05:07 UTC

Here you go, sorry it took so long.

The really weird bit is that it doesn't happen every time; I'm guessing it only refreshes when things are old or something?  Dunno.





type=AVC msg=audit(1313895882.519:704021): avc:  denied  { write } for  pid=19425 comm="mailman" name="mailman" dev=vda2 ino=264364 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(1313895882.519:704021): avc:  denied  { open } for  pid=19425 comm="mailman" name="mailman" dev=vda2 ino=264364 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(1313895883.527:704039): avc:  denied  { write } for  pid=19443 comm="install" name="cron.d" dev=vda2 ino=262675 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir
type=AVC msg=audit(1313895883.527:704039): avc:  denied  { remove_name } for  pid=19443 comm="install" name="mailman" dev=vda2 ino=264364 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir
type=AVC msg=audit(1313895883.527:704039): avc:  denied  { unlink } for  pid=19443 comm="install" name="mailman" dev=vda2 ino=264364 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(1313895883.544:704040): avc:  denied  { add_name } for  pid=19443 comm="install" name="mailman" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir
type=AVC msg=audit(1313895883.544:704040): avc:  denied  { create } for  pid=19443 comm="install" name="mailman" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(1313895883.547:704041): avc:  denied  { write } for  pid=19443 comm="install" path="/usr/lib/mailman/cron/crontab.in" dev=vda2 ino=413299 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:mailman_queue_exec_t:s0 tclass=file
type=AVC msg=audit(1313895883.548:704042): avc:  denied  { setattr } for  pid=19443 comm="install" name="mailman" dev=vda2 ino=264322 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(1313895884.013:704043): avc:  denied  { relabelfrom } for  pid=19443 comm="install" name="mailman" dev=vda2 ino=264322 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(1313895884.013:704043): avc:  denied  { relabelto } for  pid=19443 comm="install" name="mailman" dev=vda2 ino=264322 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(1313895884.080:704044): avc:  denied  { read } for  pid=1 comm="systemd" name="master-qrunner.pid" dev=tmpfs ino=1090475 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:mailman_lock_t:s0 tclass=file
type=AVC msg=audit(1313895884.080:704045): avc:  denied  { open } for  pid=1 comm="systemd" name="master-qrunner.pid" dev=tmpfs ino=1090475 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:mailman_lock_t:s0 tclass=file
type=AVC msg=audit(1313895884.080:704046): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/mailman/master-qrunner.pid" dev=tmpfs ino=1090475 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:mailman_lock_t:s0 tclass=file

Comment 3 Fedora Update System 2011-09-08 08:12:14 UTC

selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15

Comment 4 Fedora Update System 2011-09-09 05:28:22 UTC

Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2011-10-06 00:02:40 UTC

selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Robin Powell 2011-10-07 22:20:26 UTC

I'm sorry, I'm not sure how I missed the last notification to test this when it was actually in QA, but this is *not* fixed.  Some of these are happening slightly *after* restart, but *shrug*.  Perhaps I need to restorecon something?

Also, there are probably duplicates.


----
type=AVC msg=audit(10/07/2011 15:13:19.900:328602) : avc:  denied  { write } for  pid=12741 comm=mailman-update- name=mm_cfg.pyc dev=vda2 ino=417185 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:lib_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:13:20.709:328608) : avc:  denied  { open } for  pid=12747 comm=mailman name=mailman dev=vda2 ino=262710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 15:13:20.709:328608) : avc:  denied  { write } for  pid=12747 comm=mailman name=mailman dev=vda2 ino=262710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file

----
type=AVC msg=audit(10/07/2011 15:13:22.685:328627) : avc:  denied  { write open } for  pid=12766 comm=install name=mailman dev=vda2 ino=271623 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 15:13:22.685:328627) : avc:  denied  { create } for  pid=12766 comm=install name=mailman scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 15:13:22.685:328627) : avc:  denied  { add_name } for  pid=12766 comm=install name=mailman scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 15:13:22.693:328628) : avc:  denied  { write } for  pid=12766 comm=install path=/usr/lib/mailman/cron/crontab.in dev=vda2 ino=413299 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:mailman_queue_exec_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:13:22.743:328629) : avc:  denied  { setattr } for  pid=12766 comm=install name=mailman dev=vda2 ino=271623 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:13:23.523:328631) : avc:  denied  { read } for  pid=1 comm=systemd name=master-qrunner.pid dev=tmpfs ino=17100 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mailman_lock_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:13:22.683:328626) : avc:  denied  { unlink } for  pid=12766 comm=install name=mailman dev=vda2 ino=262710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 15:13:22.683:328626) : avc:  denied  { remove_name } for  pid=12766 comm=install name=mailman dev=vda2 ino=262710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir
type=AVC msg=audit(10/07/2011 15:13:22.683:328626) : avc:  denied  { write } for  pid=12766 comm=install name=cron.d dev=vda2 ino=262675 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 15:13:23.461:328630) : avc:  denied  { relabelto } for  pid=12766 comm=install name=mailman dev=vda2 ino=271623 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 15:13:23.461:328630) : avc:  denied  { relabelfrom } for  pid=12766 comm=install name=mailman dev=vda2 ino=271623 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:13:23.523:328632) : avc:  denied  { open } for  pid=1 comm=systemd name=master-qrunner.pid dev=tmpfs ino=17100 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mailman_lock_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:13:23.523:328633) : avc:  denied  { getattr } for  pid=1 comm=systemd path=/run/mailman/master-qrunner.pid dev=tmpfs ino=17100 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mailman_lock_t:s0 tclass=file

----
type=AVC msg=audit(10/07/2011 15:18:31.840:328705) : avc:  denied  { open } for  pid=12880 comm=mailman name=mailman dev=vda2 ino=271623 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 15:18:31.840:328705) : avc:  denied  { write } for  pid=12880 comm=mailman name=mailman dev=vda2 ino=271623 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:18:31.007:328699) : avc:  denied  { write } for  pid=12874 comm=mailman-update- name=mm_cfg.pyc dev=vda2 ino=417185 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:lib_t:s0 tclass=file
----
type=SERVICE_START msg=audit(10/07/2011 15:18:34.840:328734) : user pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg=': comm=mailman exe=/bin/systemd hostname=? addr=? terminal=? res=success'
----
type=BPRM_FCAPS msg=audit(10/07/2011 15:18:32.223:328714) : fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 new_pp=ffffffffffffffff new_pi=0000000000000000 new_pe=ffffffffffffffff
----
type=AVC msg=audit(10/07/2011 15:18:32.157:328711) : avc:  denied  { write } for  pid=12887 comm=mailman-update- name=mm_cfg.pyc dev=vda2 ino=417185 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:lib_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:18:33.980:328726) : avc:  denied  { unlink } for  pid=12907 comm=install name=mailman dev=vda2 ino=271623 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 15:18:33.980:328726) : avc:  denied  { remove_name } for  pid=12907 comm=install name=mailman dev=vda2 ino=271623 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir
type=AVC msg=audit(10/07/2011 15:18:33.980:328726) : avc:  denied  { write } for  pid=12907 comm=install name=cron.d dev=vda2 ino=262675 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 15:18:34.009:328728) : avc:  denied  { write } for  pid=12907 comm=install path=/usr/lib/mailman/cron/crontab.in dev=vda2 ino=413299 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:mailman_queue_exec_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:18:34.010:328729) : avc:  denied  { setattr } for  pid=12907 comm=install name=mailman dev=vda2 ino=262710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:18:34.774:328730) : avc:  denied  { relabelto } for  pid=12907 comm=install name=mailman dev=vda2 ino=262710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 15:18:34.774:328730) : avc:  denied  { relabelfrom } for  pid=12907 comm=install name=mailman dev=vda2 ino=262710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:18:34.003:328727) : avc:  denied  { write open } for  pid=12907 comm=install name=mailman dev=vda2 ino=262710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 15:18:34.003:328727) : avc:  denied  { create } for  pid=12907 comm=install name=mailman scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
type=AVC msg=audit(10/07/2011 15:18:34.003:328727) : avc:  denied  { add_name } for  pid=12907 comm=install name=mailman scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir
----
type=AVC msg=audit(10/07/2011 15:18:34.835:328731) : avc:  denied  { read } for  pid=1 comm=systemd name=master-qrunner.pid dev=tmpfs ino=17100 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mailman_lock_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:18:34.835:328732) : avc:  denied  { open } for  pid=1 comm=systemd name=master-qrunner.pid dev=tmpfs ino=17100 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mailman_lock_t:s0 tclass=file
----
type=AVC msg=audit(10/07/2011 15:18:34.835:328733) : avc:  denied  { getattr } for  pid=1 comm=systemd path=/run/mailman/master-qrunner.pid dev=tmpfs ino=17100 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mailman_lock_t:s0 tclass=file

Comment 7 Robin Powell 2011-10-07 23:20:26 UTC

To be clear, I'm running:

selinux-policy.noarch         3.9.16-42.fc15

-Robin

Comment 8 Miroslav Grepl 2011-10-10 10:58:20 UTC

Oops, it was switched to Modified mistakenly.

Fixed in selinux-policy-3.9.16-43.fc15

Comment 9 Fedora Update System 2011-11-16 16:16:07 UTC

selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15

Comment 10 Fedora Update System 2011-11-17 23:34:32 UTC

Package selinux-policy-3.9.16-48.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2011-12-04 02:34:11 UTC

selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.