Bug 1598958 - Mailman AVCs on F28
Summary: Mailman AVCs on F28
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-07 07:49 UTC by Robin Powell
Modified: 2019-03-03 06:03 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.1-36.fc28 selinux-policy-3.14.1-42.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-11 16:56:08 UTC
Type: Bug


Attachments (Terms of Use)

Description Robin Powell 2018-07-07 07:49:17 UTC
Here's the AVCs I've gotten from performing various mailman operations over an extended period on a host freshly upgraded to F28.

"unconfined" is disabled.

rlpowell@stodi> grep -h -i exim ~/scratch/avcs_mailman* | sed -r -e 's; msg=\S+: ; ;' -e 's; ino=[0-9]+ ; ;' -e 's; pid=[0-9]+ ; ;' | sort | uniq -c | sort -n
      1 type=AVC avc:  denied  { map } for  comm="mailman" path="/usr/lib/mailman/mail/mailman" dev="vdb" scontext=staff_u:staff_r:exim_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
      3 type=AVC avc:  denied  { map } for  comm="sendmail" path="/usr/sbin/exim" dev="vdb" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:exim_exec_t:s0 tclass=file permissive=1
     11 type=AVC avc:  denied  { map } for  comm="mailman" path="/usr/lib/mailman/mail/mailman" dev="vdb" scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
    407 type=AVC avc:  denied  { map } for  comm="mailman" path="/usr/lib/mailman/mail/mailman" dev="vdb" scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
rlpowell@stodi> grep -h -i exim ~/scratch/avcs_mailman* | sed -r -e 's; msg=\S+: ; ;' -e 's; ino=[0-9]+ ; ;' -e 's; pid=[0-9]+ ; ;' | sort | uniq | audit2allow -R

require {
        type sendmail_t;
        type exim_exec_t;
        type exim_t;
        class file map;
}

#============= exim_t ==============
corecmd_mmap_bin_files(exim_t)

#============= sendmail_t ==============
allow sendmail_t exim_exec_t:file map;

Comment 1 Fedora Update System 2018-07-25 22:31:24 UTC
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 2 Fedora Update System 2018-07-26 16:33:08 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 3 Fedora Update System 2018-07-29 03:24:56 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Robin Powell 2018-08-13 05:40:30 UTC
Does not work for me.  With:

selinux-policy.noarch                                                                                     3.14.1-37.fc28                                                                                     @updates

I still get:


type=AVC msg=audit(1534138701.077:2429370): avc:  denied  { map } for  pid=15419 comm="mailman" path="/usr/lib/mailman/mail/mailman" dev="vdb" ino=50913060 scontext=staff_u:staff_r:exim_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0

when I try to send mail to a mailman mailing list on my system.

Comment 5 Fedora Update System 2018-09-06 21:57:20 UTC
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 6 Fedora Update System 2018-09-07 17:12:47 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 7 Fedora Update System 2018-09-11 16:56:08 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Robin Powell 2019-03-03 06:03:31 UTC
Looks good!


Note You need to log in before you can comment on or make changes to this bug.