Bug 171265 - selinux avc denied messages when running some mailman scripts
selinux avc denied messages when running some mailman scripts
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-20 02:02 EDT by Tim Fenn
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-27 01:06:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tim Fenn 2005-10-20 02:02:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

Description of problem:
Some scripts (e.g. mailmanctl and most cgi-bin scripts) produce selinux avc denied messages - although most components work successfully (for example, it is still possible to create and use lists), others (e.g. mailmanctl) do not.

Version-Release number of selected component (if applicable):
mailman-2.1.5-32.fc3

How reproducible:
Always

Steps to Reproduce:
1. /usr/lib/mailman/bin/mailmanctl status
2. 
3.
  

Actual Results:  No output from the command, the following in /var/log/messages:

Oct 19 22:56:41 agora kernel: audit(1129787801.886:406): avc:  denied  { read wr
ite } for  pid=21660 comm="mailmanctl" name="3" dev=devpts ino=5 scontext=root:s
ystem_r:mailman_mail_t tcontext=root:object_r:devpts_t tclass=chr_file
Oct 19 22:56:41 agora kernel: audit(1129787801.887:407): avc:  denied  { read wr
ite } for  pid=21660 comm="mailmanctl" name="3" dev=devpts ino=5 scontext=root:s
ystem_r:mailman_mail_t tcontext=root:object_r:devpts_t tclass=chr_file
Oct 19 22:56:41 agora kernel: audit(1129787801.887:408): avc:  denied  { read wr
ite } for  pid=21660 comm="mailmanctl" name="3" dev=devpts ino=5 scontext=root:s
ystem_r:mailman_mail_t tcontext=root:object_r:devpts_t tclass=chr_file
Oct 19 22:56:41 agora kernel: audit(1129787801.887:409): avc:  denied  { read wr
ite } for  pid=21660 comm="mailmanctl" name="3" dev=devpts ino=5 scontext=root:s
ystem_r:mailman_mail_t tcontext=root:object_r:devpts_t tclass=chr_file
Oct 19 22:56:42 agora kernel: audit(1129787802.039:410): avc:  denied  { search
} for  pid=21660 comm="mailmanctl" name="run" dev=sda1 ino=1294372 scontext=root
:system_r:mailman_mail_t tcontext=system_u:object_r:var_run_t tclass=dir
Oct 19 22:56:42 agora kernel: audit(1129787802.039:411): avc:  denied  { search
} for  pid=21660 comm="mailmanctl" name="run" dev=sda1 ino=1294372 scontext=root
:system_r:mailman_mail_t tcontext=system_u:object_r:var_run_t tclass=dir
Oct 19 22:56:42 agora kernel: audit(1129787802.039:412): avc:  denied  { search
} for  pid=21660 comm="mailmanctl" name="run" dev=sda1 ino=1294372 scontext=root
:system_r:mailman_mail_t tcontext=system_u:object_r:var_run_t tclass=dir
Oct 19 22:56:42 agora kernel: audit(1129787802.039:413): avc:  denied  { search
} for  pid=21660 comm="mailmanctl" name="run" dev=sda1 ino=1294372 scontext=root
:system_r:mailman_mail_t tcontext=system_u:object_r:var_run_t tclass=dir
Oct 19 22:56:42 agora kernel: audit(1129787802.178:414): avc:  denied  { setgid
} for  pid=21660 comm="mailmanctl" capability=6 scontext=root:system_r:mailman_m
ail_t tcontext=root:system_r:mailman_mail_t tclass=capability


Expected Results:  # /usr/lib/mailman/bin/mailmanctl status
mailman (pid 25855) is running...

no messages in /var/log/messages

Additional info:

I was able to circumvent the problem by commenting out:

from Mailman.Logging.Syslog import syslog

in the mailmanctl python script, in which case the output was as expected.  This could not be tested with the scripts in the cgi-bin directory, as they are pre-compiled python executables.  This problem was not reproducible in FC4 using mailman-2.1.5-35.fc4.
Comment 1 John Dennis 2005-10-20 10:01:25 EDT
Dan:

Looks like there must be a difference in the security policy between FC4 and
FC3. When mailmanctl is invoked with the status command it does examine
/var/run/mailman looking for pid information. I suspect FC3 is missing this from
the security policy.

On another note, with resepct to the AVC errors you asked about yesterday
concerning invocation of the listinfo cgi script on FC3. I did look at this and
the only access I saw to /var/run when I straced the process was to
/var/run/nscd/socket which I believe is happening because of glibc lookup's,
probably because mailman via python is calling getpw*
Comment 2 Daniel Walsh 2006-01-27 01:06:58 EST
Closing since FC3 is no longer supported.

Note You need to log in before you can comment on or make changes to this bug.