Bug 465787 - mailman's weekly archiving blocked by selinux
mailman's weekly archiving blocked by selinux
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-06 08:52 EDT by David Nalley
Modified: 2008-10-06 20:34 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-06 20:34:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Nalley 2008-10-06 08:52:08 EDT
Description of problem: Each week mailman archives 


Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-84.fc9.noarch



How reproducible: consistently


Steps to Reproduce:
1.Install mailman and configure to process list traffic on machine with selinux enabled
2.Wait one week (or til next weekly processing

  
Actual results: Mailman continues running but ceases handling list traffic. In addition the archiving never occurs. 


Expected results: Mailman should handle the archiving, and continue processing list traffic. 


Additional info:
AVC errors received: 
Oct  6 08:00:10 uclug kernel: type=1400 audit(1223294410.786:122798): avc:  denied  { search } for  pid=10737 comm="python" name="archives" dev=dm-0 ino=196130 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 08:03:25 uclug kernel: type=1400 audit(1223294605.049:122799): avc:  denied  { search } for  pid=10737 comm="python" name="archives" dev=dm-0 ino=196130 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 08:03:26 uclug kernel: type=1400 audit(1223294606.347:122800): avc:  denied  { search } for  pid=10740 comm="python" name="archives" dev=dm-0 ino=196130 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir

Oct  6 08:11:04 uclug kernel: type=1400 audit(1223295064.721:122803): avc:  denied  { dac_override } for  pid=6809 comm="mailmanctl" capability=1 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=unconfined_u:system_r:mailman_mail_t:s0 tclass=capability
Oct  6 08:11:10 uclug kernel: type=1400 audit(1223295070.072:122804): avc:  denied  { dac_override } for  pid=6814 comm="mailmanctl" capability=1 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=unconfined_u:system_r:mailman_mail_t:s0 tclass=capability


From the .te files we ran to fix the problem:

module jlnmailmanlog 1.0;

require {
        type mailman_mail_t;
        type mailman_archive_t;
        class dir search;
}
require {
        type mailman_mail_t;
        type mailman_archive_t;
        class dir search;
}

#============= mailman_mail_t ==============


module jlnmailmanlog2 1.0;

require {
        type mailman_mail_t;
        class capability dac_override;
}
require {
        type mailman_mail_t;
        class capability dac_override;
}

#============= mailman_mail_t ==============
Comment 1 David Nalley 2008-10-06 10:10:04 EDT
One more quick addition to get mailman's web interface to work: 

Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.549:122811): avc:  denied  { getattr } for  pid=7618 comm="python" path="/var/lib/mailman/archives/private/uclug/attachments/20080928" dev=dm-0 ino=204003 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.550:122812): avc:  denied  { getattr } for  pid=7618 comm="python" path="/var/lib/mailman/archives/private/uclug/attachments" dev=dm-0 ino=204002 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.550:122813): avc:  denied  { getattr } for  pid=7618 comm="python" path="/var/lib/mailman/archives/private/uclug" dev=dm-0ino=196660 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=unconfined_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.551:122814): avc:  denied  { getattr } for  pid=7618 comm="python" path="/var/lib/mailman/archives/private" dev=dm-0 ino=196131 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.551:122815): avc:  denied  { getattr } for  pid=7618 comm="python" path="/var/lib/mailman/archives" dev=dm-0 ino=196130 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.561:122816): avc:  denied  { search } for  pid=7618 comm="python" name="httpd" dev=dm-0 ino=89761 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.561:122817): avc:  denied  { search } for  pid=7618 comm="python" name="httpd" dev=dm-0 ino=89761 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
Oct  6 09:55:20 uclug kernel: type=1400 audit(1223301320.561:122818): avc:  denied  { add_name } for  pid=7618 comm="python" name="attachments.lock.uclug.org.7618.5" scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:mailman_archive_t:s0 tclass=dir
Oct  6 09:55:21 uclug kernel: type=1400 audit(1223301321.968:122819): avc:  denied  { read append } for  pid=7615 comm="python" name="uclug.mbox" dev=dm-0 ino=196659 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=unconfined_u:object_r:mailman_archive_t:s0 tclass=file




module jlnmailmanlog4 1.0;

require {
	type mailman_mail_t;
	type mailman_archive_t;
	type httpd_config_t;
	class dir { search getattr add_name };
	class file { read append };
}
require {
	type mailman_mail_t;
	type mailman_archive_t;
	type httpd_config_t;
	class dir { search getattr add_name };
	class file { read append };
}

#============= mailman_mail_t ==============
allow mailman_mail_t httpd_config_t:dir search;
allow mailman_mail_t mailman_archive_t:dir { getattr add_name };
allow mailman_mail_t mailman_archive_t:file { read append };
You have new mail in /var/spool/mail/root
Comment 2 Daniel Walsh 2008-10-06 14:42:35 EDT
Fixed in selinux-policy-3.3.1-95.fc9.noarch
Comment 3 David Nalley 2008-10-06 20:34:01 EDT
Indeed this is fixed in -95 closing bug.

Note You need to log in before you can comment on or make changes to this bug.