Bug 854610 - AVCs when running mailman test with disabled unconfined and unlabelednet
AVCs when running mailman test with disabled unconfined and unlabelednet
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-05 08:34 EDT by Michal Trunecka
Modified: 2014-09-30 19:33 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-07 07:04:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVCs caused by the test script (8.16 KB, text/plain)
2012-09-05 08:34 EDT, Michal Trunecka
no flags Details
AVCs with paths (11.81 KB, text/plain)
2012-09-11 02:57 EDT, Michal Trunecka
no flags Details

  None (edit)
Description Michal Trunecka 2012-09-05 08:34:37 EDT
Created attachment 610017 [details]
AVCs caused by the test script

Description of problem:
When unconfined and unlabelednet modules are disabled, running automated test of mailman causes AVCs, which are attached in file.


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch
mailman-2.1.12-17.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. semodule -d unconfined; semodule -d unlabelednet
2. Run following automated test 
/CoreOS/selinux-policy/Regression/bz804020-mailman-and-similar

Actual results:
AVCs

Expected results:
No AVCs
Comment 1 Michal Trunecka 2012-09-05 08:41:39 EDT
I forgot to mention that nothing went wrong during the test, only AVCs showed up.
Comment 3 Miroslav Grepl 2012-09-06 01:12:28 EDT
Michal,
what does this test do?

Could I get an access on this machine?
Comment 4 Michal Trunecka 2012-09-06 02:58:13 EDT
The test involves setting up a new mailing list and then starting and restarting mailman service:

EMAIL_DOMAIN=$HOSTNAME
if echo ${EMAIL_DOMAIN} | grep "localhost" ; then
        EMAIL_DOMAIN="127.0.0.1"
fi
echo | /usr/lib/mailman/bin/newlist mailman root@${EMAIL_DOMAIN} S3kr3d${RANDOM}

service mailman start
service mailman restart


I tested it on my local virtual machine, but I can set up the environment on some beaker machine once it is available.
Comment 5 Daniel Walsh 2012-09-06 16:52:42 EDT
This looks like a labeling problem since you have mailman running as initrc_t.  ALso the python code should be compiled before running it within a service.
Comment 6 Miroslav Grepl 2012-09-11 02:24:31 EDT
Michal,
what does

# ps -efZ |grep initrc
Comment 7 Michal Trunecka 2012-09-11 02:56:27 EDT
ps -efZ |grep initrc   does not show anything. I looked into the /etc/init.d/mailman script and the AVCs are caused probably by following two things in this script:

Installing crond script:
    SRC_CRON_SCRIPT=$MAILMANHOME/cron/crontab.in
    DST_CRON_SCRIPT=/etc/cron.d/mailman
    install -m644 -o root -g root $SRC_CRON_SCRIPT $DST_CRON_SCRIPT

Running mailman-update-cfg.
[root@dhcp-25-115 bz804020-mailman-and-similar]# ls -Z `which mailman-update-cfg`
-rwxr-xr-x. root root system_u:object_r:bin_t:s0     /usr/bin/mailman-update-cfg
Comment 8 Michal Trunecka 2012-09-11 02:57:21 EDT
Created attachment 611669 [details]
AVCs with paths

I'm also attaching a file with the AVCs with full path names.
Comment 9 Miroslav Grepl 2012-09-13 04:55:11 EDT
(In reply to comment #7)
> ps -efZ |grep initrc   does not show anything. I looked into the
> /etc/init.d/mailman script and the AVCs are caused probably by following two
> things in this script:
> 
> Installing crond script:
>     SRC_CRON_SCRIPT=$MAILMANHOME/cron/crontab.in
>     DST_CRON_SCRIPT=/etc/cron.d/mailman
>     install -m644 -o root -g root $SRC_CRON_SCRIPT $DST_CRON_SCRIPT
> 
> Running mailman-update-cfg.
> [root@dhcp-25-115 bz804020-mailman-and-similar]# ls -Z `which
> mailman-update-cfg`
> -rwxr-xr-x. root root system_u:object_r:bin_t:s0    
> /usr/bin/mailman-update-cfg

Yes, it will be our problem here.
Comment 10 RHEL Product and Program Management 2012-12-14 03:17:48 EST
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 12 Miroslav Grepl 2013-07-17 09:50:03 EDT
Michal,
does the problem still exist?
Comment 13 Michal Trunecka 2013-07-24 08:56:49 EDT
No, this bug seems to be fixed in the current policy:
selinux-policy-3.7.19-209.el6.noarch

Note You need to log in before you can comment on or make changes to this bug.