Bug 132732 - python files in /var/mailman/pythonlib & /var/mailman/MailMan wrong type
Summary: python files in /var/mailman/pythonlib & /var/mailman/MailMan wrong type
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: mailman
Version: rawhide
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: John Dennis
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: FC3Target
TreeView+ depends on / blocked
 
Reported: 2004-09-16 14:23 UTC by Tom London
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-09-29 20:11:17 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Tom London 2004-09-16 14:23:20 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040904 Firefox/0.9.3

Description of problem:
The python files in /var/mailman/pythonlib and /var/mailman/Mailman
cannot be accessed when running SELinux strict/enforcing.

The problem is that they get labeled with type 'var_t'.

Putting them in /usr/lib/python2.3/site-packages would cause them to
be labeled as 'lib_t', and allow them to be securely read.

Here is the error'ed email that gets produced every 5 minutes:

Subject: Cron <mailman@fedora> /var/mailman/cron/gate_news
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/mailman>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=mailman>
X-Cron-Env: <USER=mailman>

Traceback (most recent call last):
  File "/var/mailman/cron/gate_news", line 38, in ?
    import paths
  File "/var/mailman/cron/paths.py", line 59, in ?
    import korean
ImportError: No module named korean

Here is the AVC:

Sep 16 07:25:02 fedora kernel: audit(1095344702.129:0): avc:  denied 
{ getattr } for  pid=4554 exe=/usr/bin/python
path=/var/mailman/pythonlib/korean/__init__.pyc dev=hda2 ino=444330
scontext=system_u:system_r:mailman_queue_t
tcontext=system_u:object_r:var_t tclass=file



Version-Release number of selected component (if applicable):
mailman-2.1.5-19

How reproducible:
Always

Steps to Reproduce:
1. every 5 minutes, gate_news fails
2. sends error'ed email
3. etc.
    

Additional info:

Comment 1 Colin Walters 2004-09-16 17:46:35 UTC
The current locations are also violations of the FHS.


Comment 2 John Dennis 2004-09-28 23:06:54 UTC
mailman-2.1.5-20 moves the non-data files from /var/mailman to
/usr/lib/mailman. This is more in conformance with FHS and sets us up
better for implementing the security policy. Dan Walsh has reworked
the targeted security policy (not sure about strict) to match the new
installation directory. We've tested with the targeted policy and
(limited) testing shows no problems.


Note You need to log in before you can comment on or make changes to this bug.