Red Hat Bugzilla – Bug 132732
python files in /var/mailman/pythonlib & /var/mailman/MailMan wrong type
Last modified: 2007-11-30 17:10:49 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040904 Firefox/0.9.3 Description of problem: The python files in /var/mailman/pythonlib and /var/mailman/Mailman cannot be accessed when running SELinux strict/enforcing. The problem is that they get labeled with type 'var_t'. Putting them in /usr/lib/python2.3/site-packages would cause them to be labeled as 'lib_t', and allow them to be securely read. Here is the error'ed email that gets produced every 5 minutes: Subject: Cron <mailman@fedora> /var/mailman/cron/gate_news X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/var/mailman> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=mailman> X-Cron-Env: <USER=mailman> Traceback (most recent call last): File "/var/mailman/cron/gate_news", line 38, in ? import paths File "/var/mailman/cron/paths.py", line 59, in ? import korean ImportError: No module named korean Here is the AVC: Sep 16 07:25:02 fedora kernel: audit(1095344702.129:0): avc: denied { getattr } for pid=4554 exe=/usr/bin/python path=/var/mailman/pythonlib/korean/__init__.pyc dev=hda2 ino=444330 scontext=system_u:system_r:mailman_queue_t tcontext=system_u:object_r:var_t tclass=file Version-Release number of selected component (if applicable): mailman-2.1.5-19 How reproducible: Always Steps to Reproduce: 1. every 5 minutes, gate_news fails 2. sends error'ed email 3. etc. Additional info:
The current locations are also violations of the FHS.
mailman-2.1.5-20 moves the non-data files from /var/mailman to /usr/lib/mailman. This is more in conformance with FHS and sets us up better for implementing the security policy. Dan Walsh has reworked the targeted security policy (not sure about strict) to match the new installation directory. We've tested with the targeted policy and (limited) testing shows no problems.