Hide Forgot
Description of problem: mailman status causes AVC denial Version-Release number of selected component (if applicable): # rpm -q mailman selinux-policy mailman-2.1.12-17.el6.i686 selinux-policy-3.7.19-126.el6.noarch How reproducible: deterministic Steps to Reproduce: 1, restorecon -R /usr/lib/mailman/Mailman 2, ls -ladZ /usr/lib/mailman/Mailman drwxr-xr-x. root root system_u:object_r:lib_t:s0 /usr/lib/mailman/Mailman 3, /etc/init.d/mailman status type=AVC msg=audit(1321361298.795:494097): avc: denied { write } for pid=17267 comm="mailmanctl" name="Mailman" dev=dm-0 ino=286551 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir mailman is stopped 4, find / -mount -inum 286551 /usr/lib/mailman/Mailman Actual results: type=AVC msg=audit(1321361298.795:494097): avc: denied { write } for pid=17267 comm="mailmanctl" name="Mailman" dev=dm-0 ino=286551 scontext=unconfined_u:system_r:mailman_mail_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=di Expected results: no avc denial Additional info:
Is there a python file in /usr/lib/mailman/Mailman? Why would mailman have to write to a file that should be read/only?
(In reply to comment #2) > Is there a python file in /usr/lib/mailman/Mailman? Why would mailman have to > write to a file that should be read/only? yes, its full of py files: ls -1 /usr/lib/mailman/Mailman/*py | wc -l 30 denial appears during calling mailman status. But status should not write to any file. ccing mailman's developer
Isn't it the same problem as in https://bugzilla.redhat.com/show_bug.cgi?id=681265 ? If yes, I'm open to suggestions...
Or better this RHEL6 clone: https://bugzilla.redhat.com/show_bug.cgi?id=681264
Petr, you can compile the py files by running them through python on pychecker, and that will stop the AVC.s Basically what is happening and as soon as an updated python script gets executed, python attempts to compile it and write the compiled code in the same directory as the py files, this is causing the AVC's. The app should work fine, but potentially slower. I am not sure we have a good fix for this.
Dave, do you have any suggestions?
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux.
I'm closing this bug as duplicate of Bug 923340. I know this bug is older than Bug 923340, but Bug 923340 contains solution to this problem in description and is reported by a customer. *** This bug has been marked as a duplicate of bug 923340 ***