Bug 849418

Summary: Mailman + postfix list creation on web interface fails when selinux is active
Product: [Fedora] Fedora Reporter: Pierre Blavy <pierreblavy>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, jkaluza, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-21 23:58:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pierre Blavy 2012-08-19 11:13:57 UTC 
Description of problem:
When A mailman list is created in the web interface I get the error : 
Bug in Mailman version 2.1.14
We're sorry, we hit a bug!

The list is ``half created : it appears in mailman, it can be administrated but the mails are not send to list users they are silentyl dropped in a black hole.

Disableing selinux is a workaround



Version-Release number of selected component (if applicable):
Mailman 2.1.14
selinux last update (19/august/2012)

How reproducible: always



Steps to Reproduce:
1. install mailman and postfix (see installing mailman with postfix in additional info for detail)
2. create a list in mailman web interface

Expected results: create a list must work



Additional info:
The bug is related to the permission, as shown in logs:
RuntimeError: command failed: /usr/sbin/postalias /etc/mailman/aliases (status: 1, Operation not permitted

This is a selinux mess : setenforce 0 is a workaround

--- permissions---
ll -Z /usr/sbin/postalias
-rwxr-xr-x. root root system_u:object_r:postfix_master_exec_t:s0 /usr/sbin/postalias

ll -Z /etc/mailman/aliases 
-rw-rw----. root mailman system_u:object_r:mailman_data_t:s0 /etc/mailman/aliases


--- installing mailman with postfix---
PASSWD=xxxx

yyum -y install mailman postfix
chkconfig mailman on
service mailman restart
mailman-update-cfg 
/usr/lib/mailman/bin/mmsitepass $PASSWD

nano /usr/lib/mailman/Mailman/mm_cfg.py 
#ADD (at the end of file) : MTA = 'Postfix'
#ADD (at the end of file) : OWNERS_CAN_DELETE_THEIR_OWN_LISTS = 'yes'

/usr/lib/mailman/bin/genaliases
chmod g+w /etc/mailman/aliases*

nano /etc/postfix/main.cf
#APPEND (at the end of line : alias_maps=xxx) ,hash:/etc/mailman/aliases

newaliases
postfix reload
service postfix restart
service mailman restart

nano /etc/httpd/conf.d/mailman.conf 
#EDIT last line for redirection
service httpd restart

firefox https://somewhere.com/mailman/create




---  cat /var/log/mailman/error ---
Aug 19 12:56:48 2012 (1209) command failed: /usr/sbin/postalias /etc/mailman/aliases (status: 1, Operation not permitted)
Aug 19 12:56:48 2012 admin(1209): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
admin(1209): [----- Mailman Version: 2.1.14 -----] 
admin(1209): [----- Traceback ------] 
admin(1209): Traceback (most recent call last):
admin(1209):   File "/usr/lib/mailman/scripts/driver", line 112, in run_main
admin(1209):     main()
admin(1209):   File "/usr/lib/mailman/Mailman/Cgi/create.py", line 56, in main
admin(1209):     process_request(doc, cgidata)
admin(1209):   File "/usr/lib/mailman/Mailman/Cgi/create.py", line 239, in process_request
admin(1209):     sys.modules[modname].create(mlist, cgi=1)
admin(1209):   File "/usr/lib/mailman/Mailman/MTA/Postfix.py", line 238, in create
admin(1209):     _update_maps()
admin(1209):   File "/usr/lib/mailman/Mailman/MTA/Postfix.py", line 53, in _update_maps
admin(1209):     raise RuntimeError, msg % (acmd, status, errstr)
admin(1209): RuntimeError: command failed: /usr/sbin/postalias /etc/mailman/aliases (status: 1, Operation not permitted)
admin(1209): [----- Python Information -----] 
admin(1209): sys.version     =   2.7.3 (default, Jul 24 2012, 10:05:38) 
[GCC 4.7.0 20120507 (Red Hat 4.7.0-5)] 
admin(1209): sys.executable  =   /usr/bin/python 
admin(1209): sys.prefix      =   /usr 
admin(1209): sys.exec_prefix =   /usr 
admin(1209): sys.path        =   ['/usr/lib/mailman/pythonlib', '/usr/lib/mailman', '/usr/lib/mailman/scripts', '/usr/lib/mailman', '/usr/lib64/python27.zip', '/usr/lib64/python2.7/', '/usr/lib64/python2.7/plat-linux2', '/usr/lib64/python2.7/lib-tk', '/usr/lib64/python2.7/lib-old', '/usr/lib64/python2.7/lib-dynload', '/usr/lib/python2.7/site-packages'] 
admin(1209): sys.platform    =   linux2 
admin(1209): [----- Environment Variables -----] 
admin(1209):    HTTP_COOKIE: mailman+admin=28020000006983393050732800000033663265343132316331393266393337663930376165643231373831353336623962356466666563; agromots+admin=280200000069183d3050732800000062306463313137663866613136396666613232333861663638353262303439326461366263613635; rando+admin=280200000069cc3d3050732800000034663335326136396337333262396464313563326339656331313366333866323535656233663331; theatre+admin=280200000069ef3d3050732800000062663161333835333266643066623037353865343437393632336534343433653436373632636265; zeppelin+admin=280200000069093e3050732800000030366463336637323636343436613333623233323535663665363436653834323964616531376239; tous+admin=280200000069233e3050732800000063393239633362383333336661366630346134386530313862643264326334356362313533376139; niac+admin=280200000069193f3050732800000066623765313265666533653235643937336461663330666166346365636139303461396632363231; aa9+admin=280200000069d2513050732800000061396530626332633065633531613861373662336332646165363835656431663732396538626666 
admin(1209):    SERVER_SOFTWARE: Apache/2.2.22 (Fedora) 
admin(1209):    SCRIPT_NAME: /mailman/create 
admin(1209):    SERVER_SIGNATURE: <address>Apache/2.2.22 (Fedora) Server at tentacule.be Port 443</address>
admin(1209): 
admin(1209):    REQUEST_METHOD: POST 
admin(1209):    SERVER_PROTOCOL: HTTP/1.1 
admin(1209):    QUERY_STRING:  
admin(1209):    SSL_TLS_SNI: tentacule.be 
admin(1209):    CONTENT_LENGTH: 133 
admin(1209):    HTTP_USER_AGENT: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 
admin(1209):    HTTP_CONNECTION: keep-alive 
admin(1209):    HTTP_REFERER: https://tentacule.be/mailman/create 
admin(1209):    SERVER_NAME: tentacule.be 
admin(1209):    REMOTE_ADDR: 192.168.0.250 
admin(1209):    SERVER_PORT: 443 
admin(1209):    SERVER_ADDR: 192.168.0.1 
admin(1209):    DOCUMENT_ROOT: /var/www/html 
admin(1209):    PYTHONPATH: /usr/lib/mailman 
admin(1209):    SCRIPT_FILENAME: /usr/lib/mailman/cgi-bin/create 
admin(1209):    SERVER_ADMIN: root@localhost 
admin(1209):    HTTP_DNT: 1 
admin(1209):    HTTP_HOST: tentacule.be 
admin(1209):    HTTPS: on 
admin(1209):    REQUEST_URI: /mailman/create 
admin(1209):    HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
admin(1209):    PERL5LIB: /usr/share/awstats/lib:/usr/share/awstats/plugins 
admin(1209):    GATEWAY_INTERFACE: CGI/1.1 
admin(1209):    REMOTE_PORT: 39861 
admin(1209):    HTTP_ACCEPT_LANGUAGE: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 
admin(1209):    CONTENT_TYPE: application/x-www-form-urlencoded 
admin(1209):    HTTP_ACCEPT_ENCODING: gzip, deflate 
[root@tentacule ~]# ^C
Comment 1 Jan Kaluža 2012-08-20 10:57:44 UTC 
Thank you, I'm able to reproduce it.

This is relevant AVC from selinux log:

type=AVC msg=audit(1345459913.882:111): avc: denied { search } for pid=7852 comm="postalias" name="postfix" dev="dm-1" ino=177968 scontext=system_u:system_r:mailman_cgi_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir

I think new rule should be created in selinux-policy to allow this behaviour. Changing component to selinux-policy.
Comment 2 Jan Kaluža 2012-08-20 11:04:30 UTC 
If you create new list with Mailman configure with Postfix, "/usr/sbin/postalias" and "/usr/sbin/postmap" scripts all called by mailman.
Comment 3 Miroslav Grepl 2012-09-11 10:10:47 UTC 
Added.
Comment 4 Fedora Update System 2012-09-17 12:12:43 UTC 
selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17
Comment 5 Fedora Update System 2012-09-19 02:54:24 UTC 
Package selinux-policy-3.10.0-149.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2012-09-21 23:58:35 UTC 
selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Pierre Blavy 2012-09-26 09:24:26 UTC 
Works for me, thank you very much!