Bug 997321 - mailman problems with unconfined turned off
mailman problems with unconfined turned off
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-08-15 03:24 EDT by Robin Powell
Modified: 2013-08-21 20:54 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-71.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-21 20:54:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Robin Powell 2013-08-15 03:24:54 EDT
This one's weird, because I could have sworn it was working on F17, but all of a sudden, on my system with unconfined disabled, exim can't do any mailman things.

See many AVCs at http://paste.fedoraproject.org/32211/52828213/raw/

This: sudo chcon -R -t mailman_mail_exec_t /usr/lib/mailman/bin

seems to fix the problem entirely, although I'm still waiting to see if that's actually true.

Comment 1 Robin Powell 2013-08-15 03:36:06 EDT
No, that doesn't do it either; so far, even with that chcon (they were bin_t before, and restorecon puts them back to bin_t), audit2allow wants me to do the following, so far:

allow exim_t mailman_data_t:file { write rename create };
allow exim_t mailman_log_t:file { read open };
allow mailman_cgi_t httpd_t:tcp_socket { read write };

Like I said, this was all working; something weird happened, I think.

Comment 2 Daniel Walsh 2013-08-15 14:57:34 EDT
Robin please send us the raw avc data.
Comment 3 Robin Powell 2013-08-15 18:39:43 EDT
I did, that's the link in my first post.

Here's another one:  http://paste.fedoraproject.org/32446/37660633/raw/

That's everything in the last 24 hours or so that matches AVC and "mailman" in the audit log.  For most of that time it was in permissive mode.

Comment 4 Daniel Walsh 2013-08-16 14:08:52 EDT
Ok I added fixes for exim, but this one seems a little strange.

type=AVC msg=audit(08/15/2013 08:00:05.856:139507) : avc:  denied  { write } for  pid=25173 comm=checkdbs name=data dev="vdb1" ino=21 scontext=system_u:system_r:mailman_queue_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir

Do you know where the data directory is?
Comment 5 Daniel Walsh 2013-08-16 14:09:28 EDT
fd70013686ddf347ea89ebeae7e43e6fba83dd55 fixes the other problems in git.
Comment 6 Robin Powell 2013-08-16 17:24:08 EDT
That's /srv/mailman/data ; my own thing, obviously, but I've done fcontext tweaks:

rlpowell@stodi> sudo ls -dlZ /srv
drwxr-xr-x. root root system_u:object_r:var_t:s0       /srv
rlpowell@stodi> sudo ls -dlZ /srv/mailman
drwxrwsr-x. root mailman system_u:object_r:mailman_data_t:s0 /srv/mailman
rlpowell@stodi> sudo ls -dlZ /srv/mailman/data
drwxrwsr-x. root mailman system_u:object_r:mailman_data_t:s0 /srv/mailman/data

rlpowell@stodi> sudo semanage fcontext -l | grep /srv/mailm
/srv/mailman(/.*)?                                 all files          system_u:object_r:mailman_data_t:s0
/srv/mailman/archives(/.*)?                        all files          system_u:object_r:mailman_archive_t:s0

Comment 7 Robin Powell 2013-08-16 17:24:58 EDT
How do I access the git so I can put up a local version of your changes?  I've been running with setenforce 0 -_-

Comment 8 Daniel Walsh 2013-08-17 06:52:51 EDT
Miroslav should be doing a new build on Monday, he is back from Vacation. Then you can get it from Koji or wait for updates-testing.
Comment 9 Fedora Update System 2013-08-20 04:28:15 EDT
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
Comment 10 Fedora Update System 2013-08-20 20:17:04 EDT
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 11 Robin Powell 2013-08-20 20:26:00 EDT
Much better!  Thank you!
Comment 12 Fedora Update System 2013-08-21 20:54:57 EDT
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.