The details were reported in https://bugzilla.redhat.com/show_bug.cgi?id=1450693 which got automatically closed when Fedora 27 was EOL-ed. The problem is unchanged in Fedora 29. The same problem still exists in RHEL / CentOS 7. Currently the work-around is to run your mailer daemon (exim, in my case) unconfined by SELinux. Here are some example AVCs (which weren't included in the F27 report): type=AVC msg=audit(1547476466.962:20785635): avc: denied { execute } for pid=3180 comm="exim" name="mailman" dev="sda" ino=2690167 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1547476466.962:20785635): avc: denied { execute_no_trans } for pid=3180 comm="exim" path="/usr/lib/mailman/mail/mailman" dev="sda" ino=2690167 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
Anything further I can do to help with this? Not being able to confine exim, a large daemon with several historical root holes, is not good.
Hi David, Thank you for reporting the issue and providing the reference to the previous bugzilla. We will investigate on it and get back to you.
As described in the prior report, the root problem seems to be simple: there are two rules that apply to /usr/lib/mailman/mail/mailman, and they are applied in the wrong order (irrelevant lines snipped): # semanage fcontext -l |grep /usr/lib/mailman /usr/lib/mailman.*/mail/mailman regular file system_u:object_r:mailman_mail_exec_t:s0 /usr/lib/mailman/bin(/.*)? all files system_u:object_r:bin_t:s0 This can be worked-around locally - a new rule manually added will take final precedence: # semanage fcontext -a -t mailman_mail_exec_t /usr/lib/mailman/mail/mailman # restorecon /usr/lib/mailman/mail/mailman # ls -Z /usr/lib/mailman/mail/mailman -rwxr-sr-x. root mailman system_u:object_r:mailman_mail_exec_t:s0 /usr/lib/mailman/mail/mailman
I've performed the work-around in https://bugzilla.redhat.com/show_bug.cgi?id=1666004#c3 and verified that mail now successfully enters mailman from exim (over SMTP), without any AVCs.
David, Thank you for reporting the issue and for the investigation. It really turns out there two clashing rules with regexp, just a small correction for the paths: /usr/lib/mailman/mail(/.*)? all files system_u:object_r:bin_t:s0 /usr/lib/mailman.*/mail/mailman regular file system_u:object_r:mailman_mail_exec_t:s0 I've created a PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/115
commit cd224374bb8af1cea70d86f9594b9213f23bba03 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Fri Jun 14 13:58:42 2019 +0200 Create explicit fc rule for mailman executable BZ(1666004)
FEDORA-2019-096a80ef39 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39
selinux-policy-3.14.2-61.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39
FEDORA-2019-2eec328cc1 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1
selinux-policy-3.14.2-62.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1
FEDORA-2019-8071724c9b has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b
selinux-policy-3.14.2-63.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b
FEDORA-2019-b51794f502 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.