461892 – Mailman can't write to archives due to selinux

Bug 461892 - Mailman can't write to archives due to selinux

Summary: Mailman can't write to archives due to selinux

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-09-11 08:52 UTC by Sergio Pascual
Modified:	2008-09-24 08:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-09-23 19:40:46 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Local policy (828 bytes, text/plain) 2008-09-11 11:01 UTC, Sergio Pascual	no flags	Details
Audit log (6.69 KB, text/plain) 2008-09-12 07:29 UTC, Sergio Pascual	no flags	Details
Denials related with mailman and crontab (1.22 KB, application/octet-stream) 2008-09-12 10:09 UTC, Sergio Pascual	no flags	Details
View All

Description Sergio Pascual 2008-09-11 08:52:44 UTC

I have installed mailman and every time that a message should go to the list archives, selinux blocks it.

mailman-2.1.9-10.fc9.i386
selinux-policy-targeted-3.3.1-84.fc9.noarch

I get this alarm in setroubleshoot every time a mila should go to archives

SELinux is preventing python (mailman_mail_t) "search" to ./archives (mailman_archive_t). 

I have run restorecon in /var/spool/mailman/archives but nothing changes


Audit messages:
host=myhost type=AVC msg=audit(1221120072.447:132182): avc: denied { search } for pid=5761 comm="python" name="archives" dev=dm-0 ino=386754 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir 

host=myhost type=SYSCALL msg=audit(1221120072.447:132182): arch=40000003 syscall=10 success=no exit=-13 a0=9a844b0 a1=0 a2=2124574 a3=97661b8 items=0 ppid=5755 pid=5761 auid=603 uid=41 gid=41 euid=41 suid=41 fsuid=41 egid=41 sgid=41 fsgid=41 tty=(none) ses=6553 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:mailman_mail_t:s0 key=(null)

Comment 1 Sergio Pascual 2008-09-11 11:01:13 UTC

Created attachment 316420 [details]
Local policy

the following local policy allows me to have working mailman archives

Comment 2 Daniel Walsh 2008-09-11 17:46:32 UTC

Could you attach the avc's used to generate this policy.

Comment 3 Sergio Pascual 2008-09-12 07:29:48 UTC

Created attachment 316541 [details]
Audit log

This file doesn't include avc to create the rules related with 
type mailman_queue_t;

The rule is needed by the mailman cron and I can't get it at the moment

Comment 4 Sergio Pascual 2008-09-12 10:09:17 UTC

Created attachment 316557 [details]
Denials related with mailman and crontab

Comment 5 Daniel Walsh 2008-09-23 19:40:46 UTC

Fixed in selinux-policy-3.5.8-6.fc10.noarch

Comment 6 Sergio Pascual 2008-09-24 08:10:41 UTC

Can this be backported to fedora 9?

Note You need to log in before you can comment on or make changes to this bug.