Bug 854610
| Summary: | AVCs when running mailman test with disabled unconfined and unlabelednet | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Michal Trunecka <mtruneck> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 6.4 | CC: | dwalsh, ebenes, mmalik, mtruneck | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-08-07 11:04:09 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Michal Trunecka
2012-09-05 12:34:37 UTC
I forgot to mention that nothing went wrong during the test, only AVCs showed up. Michal, what does this test do? Could I get an access on this machine? The test involves setting up a new mailing list and then starting and restarting mailman service:
EMAIL_DOMAIN=$HOSTNAME
if echo ${EMAIL_DOMAIN} | grep "localhost" ; then
EMAIL_DOMAIN="127.0.0.1"
fi
echo | /usr/lib/mailman/bin/newlist mailman root@${EMAIL_DOMAIN} S3kr3d${RANDOM}
service mailman start
service mailman restart
I tested it on my local virtual machine, but I can set up the environment on some beaker machine once it is available.
This looks like a labeling problem since you have mailman running as initrc_t. ALso the python code should be compiled before running it within a service. Michal, what does # ps -efZ |grep initrc ps -efZ |grep initrc does not show anything. I looked into the /etc/init.d/mailman script and the AVCs are caused probably by following two things in this script:
Installing crond script:
SRC_CRON_SCRIPT=$MAILMANHOME/cron/crontab.in
DST_CRON_SCRIPT=/etc/cron.d/mailman
install -m644 -o root -g root $SRC_CRON_SCRIPT $DST_CRON_SCRIPT
Running mailman-update-cfg.
[root@dhcp-25-115 bz804020-mailman-and-similar]# ls -Z `which mailman-update-cfg`
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/mailman-update-cfg
Created attachment 611669 [details]
AVCs with paths
I'm also attaching a file with the AVCs with full path names.
(In reply to comment #7) > ps -efZ |grep initrc does not show anything. I looked into the > /etc/init.d/mailman script and the AVCs are caused probably by following two > things in this script: > > Installing crond script: > SRC_CRON_SCRIPT=$MAILMANHOME/cron/crontab.in > DST_CRON_SCRIPT=/etc/cron.d/mailman > install -m644 -o root -g root $SRC_CRON_SCRIPT $DST_CRON_SCRIPT > > Running mailman-update-cfg. > [root@dhcp-25-115 bz804020-mailman-and-similar]# ls -Z `which > mailman-update-cfg` > -rwxr-xr-x. root root system_u:object_r:bin_t:s0 > /usr/bin/mailman-update-cfg Yes, it will be our problem here. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Michal, does the problem still exist? No, this bug seems to be fixed in the current policy: selinux-policy-3.7.19-209.el6.noarch |