Bug 997321 - mailman problems with unconfined turned off
mailman problems with unconfined turned off
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-15 03:24 EDT by Robin Powell
Modified: 2013-08-21 20:54 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-71.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-21 20:54:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robin Powell 2013-08-15 03:24:54 EDT
This one's weird, because I could have sworn it was working on F17, but all of a sudden, on my system with unconfined disabled, exim can't do any mailman things.

See many AVCs at http://paste.fedoraproject.org/32211/52828213/raw/

This: sudo chcon -R -t mailman_mail_exec_t /usr/lib/mailman/bin

seems to fix the problem entirely, although I'm still waiting to see if that's actually true.

-Robin
Comment 1 Robin Powell 2013-08-15 03:36:06 EDT
No, that doesn't do it either; so far, even with that chcon (they were bin_t before, and restorecon puts them back to bin_t), audit2allow wants me to do the following, so far:

allow exim_t mailman_data_t:file { write rename create };
allow exim_t mailman_log_t:file { read open };
mailman_manage_data_files(exim_t)
allow mailman_cgi_t httpd_t:tcp_socket { read write };

Like I said, this was all working; something weird happened, I think.

-Robin
Comment 2 Daniel Walsh 2013-08-15 14:57:34 EDT
Robin please send us the raw avc data.
Comment 3 Robin Powell 2013-08-15 18:39:43 EDT
I did, that's the link in my first post.

Here's another one:  http://paste.fedoraproject.org/32446/37660633/raw/

That's everything in the last 24 hours or so that matches AVC and "mailman" in the audit log.  For most of that time it was in permissive mode.

-Robin
Comment 4 Daniel Walsh 2013-08-16 14:08:52 EDT
Ok I added fixes for exim, but this one seems a little strange.

type=AVC msg=audit(08/15/2013 08:00:05.856:139507) : avc:  denied  { write } for  pid=25173 comm=checkdbs name=data dev="vdb1" ino=21 scontext=system_u:system_r:mailman_queue_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir


Do you know where the data directory is?
Comment 5 Daniel Walsh 2013-08-16 14:09:28 EDT
fd70013686ddf347ea89ebeae7e43e6fba83dd55 fixes the other problems in git.
Comment 6 Robin Powell 2013-08-16 17:24:08 EDT
That's /srv/mailman/data ; my own thing, obviously, but I've done fcontext tweaks:

rlpowell@stodi> sudo ls -dlZ /srv
drwxr-xr-x. root root system_u:object_r:var_t:s0       /srv
rlpowell@stodi> sudo ls -dlZ /srv/mailman
drwxrwsr-x. root mailman system_u:object_r:mailman_data_t:s0 /srv/mailman
rlpowell@stodi> sudo ls -dlZ /srv/mailman/data
drwxrwsr-x. root mailman system_u:object_r:mailman_data_t:s0 /srv/mailman/data

rlpowell@stodi> sudo semanage fcontext -l | grep /srv/mailm
/srv/mailman(/.*)?                                 all files          system_u:object_r:mailman_data_t:s0
/srv/mailman/archives(/.*)?                        all files          system_u:object_r:mailman_archive_t:s0

-Robin
Comment 7 Robin Powell 2013-08-16 17:24:58 EDT
How do I access the git so I can put up a local version of your changes?  I've been running with setenforce 0 -_-

-Robin
Comment 8 Daniel Walsh 2013-08-17 06:52:51 EDT
Miroslav should be doing a new build on Monday, he is back from Vacation. Then you can get it from Koji or wait for updates-testing.
Comment 9 Fedora Update System 2013-08-20 04:28:15 EDT
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 10 Fedora Update System 2013-08-20 20:17:04 EDT
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 11 Robin Powell 2013-08-20 20:26:00 EDT
Much better!  Thank you!
Comment 12 Fedora Update System 2013-08-21 20:54:57 EDT
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.