Bug 132732 - python files in /var/mailman/pythonlib & /var/mailman/MailMan wrong type
python files in /var/mailman/pythonlib & /var/mailman/MailMan wrong type
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: mailman (Show other bugs)
rawhide
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
: SELinux
Depends On:
Blocks: FC3Target
  Show dependency treegraph
 
Reported: 2004-09-16 10:23 EDT by Tom London
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-29 16:11:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom London 2004-09-16 10:23:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040904 Firefox/0.9.3

Description of problem:
The python files in /var/mailman/pythonlib and /var/mailman/Mailman
cannot be accessed when running SELinux strict/enforcing.

The problem is that they get labeled with type 'var_t'.

Putting them in /usr/lib/python2.3/site-packages would cause them to
be labeled as 'lib_t', and allow them to be securely read.

Here is the error'ed email that gets produced every 5 minutes:

Subject: Cron <mailman@fedora> /var/mailman/cron/gate_news
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/mailman>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=mailman>
X-Cron-Env: <USER=mailman>

Traceback (most recent call last):
  File "/var/mailman/cron/gate_news", line 38, in ?
    import paths
  File "/var/mailman/cron/paths.py", line 59, in ?
    import korean
ImportError: No module named korean

Here is the AVC:

Sep 16 07:25:02 fedora kernel: audit(1095344702.129:0): avc:  denied 
{ getattr } for  pid=4554 exe=/usr/bin/python
path=/var/mailman/pythonlib/korean/__init__.pyc dev=hda2 ino=444330
scontext=system_u:system_r:mailman_queue_t
tcontext=system_u:object_r:var_t tclass=file



Version-Release number of selected component (if applicable):
mailman-2.1.5-19

How reproducible:
Always

Steps to Reproduce:
1. every 5 minutes, gate_news fails
2. sends error'ed email
3. etc.
    

Additional info:
Comment 1 Colin Walters 2004-09-16 13:46:35 EDT
The current locations are also violations of the FHS.
Comment 2 John Dennis 2004-09-28 19:06:54 EDT
mailman-2.1.5-20 moves the non-data files from /var/mailman to
/usr/lib/mailman. This is more in conformance with FHS and sets us up
better for implementing the security policy. Dan Walsh has reworked
the targeted security policy (not sure about strict) to match the new
installation directory. We've tested with the targeted policy and
(limited) testing shows no problems.

Note You need to log in before you can comment on or make changes to this bug.