I recently installed mailman on my FC3 box (using the redhat based RPMs), and it seems to be working just fine, except for the numerous avc messages it cranks out whenever I run one of the cgi scripts associated with mailman (e.g. via the web interface):
Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied { search } for pid=18761 comm="listinfo" name="run" dev=sda1 ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_ u:object_r:var_run_t tclass=dir
I have selinux-policy-targeted-1.17.30-3.16, and
# getsebool httpd_enable_cgi httpd_enable_cgi --> active # getsebool httpd_enable_homedirs httpd_enable_homedirs --> active # getsebool httpd_ssi_exec httpd_ssi_exec --> active # getsebool httpd_builtin_scripting httpd_builtin_scripting --> active # getsebool httpd_unified httpd_unified --> active
set, is there something I'm missing?
Thanks for any help, Tim
Tim Fenn wrote:
I recently installed mailman on my FC3 box (using the redhat based RPMs), and it seems to be working just fine, except for the numerous avc messages it cranks out whenever I run one of the cgi scripts associated with mailman (e.g. via the web interface):
Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied { search } for pid=18761 comm="listinfo" name="run" dev=sda1 ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_ u:object_r:var_run_t tclass=dir
Why would mailman listinfo be searching /var/log directory?
I have selinux-policy-targeted-1.17.30-3.16, and
# getsebool httpd_enable_cgi httpd_enable_cgi --> active # getsebool httpd_enable_homedirs httpd_enable_homedirs --> active # getsebool httpd_ssi_exec httpd_ssi_exec --> active # getsebool httpd_builtin_scripting httpd_builtin_scripting --> active # getsebool httpd_unified httpd_unified --> active
set, is there something I'm missing?
Thanks for any help, Tim
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
Tim Fenn wrote:
I recently installed mailman on my FC3 box (using the redhat based RPMs), and it seems to be working just fine, except for the numerous avc messages it cranks out whenever I run one of the cgi scripts associated with mailman (e.g. via the web interface):
Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied { search } for pid=18761 comm="listinfo" name="run" dev=sda1 ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_ u:object_r:var_run_t tclass=dir
Why would mailman listinfo be searching /var/log directory?
Well, I get the same errors with mailmanctl:
./mailmanctl status
yields no output, and the following errors: Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied { read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts ino=5 scontext=root:system_r:mailman_mail_t tcontext=root:object_r:devpts_t tclass=chr_file Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied { search } for pid=20837 comm="mailmanctl" name="run" dev=sda1 ino=1294372 scontext=root:system_r:mailman_mail_t tcontext=system_u:object_r:var_run_t tclass=dir Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied { setgid } for pid=20837 comm="mailmanctl" capability=6 scontext=root:system_r:mailman_mail_t tcontext=root:system_r:mailman_mail_t tclass=capability
However, if I comment out:
from Mailman.Logging.Syslog import syslog
in the mailmanctl script, all is well:
# ./mailmanctl status mailman (pid 17677) is running...
and no error messages. I would assume the same is true with the cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
Regards, Tim
Tim Fenn wrote:
On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
Tim Fenn wrote:
I recently installed mailman on my FC3 box (using the redhat based RPMs), and it seems to be working just fine, except for the numerous avc messages it cranks out whenever I run one of the cgi scripts associated with mailman (e.g. via the web interface):
Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied { search } for pid=18761 comm="listinfo" name="run" dev=sda1 ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_ u:object_r:var_run_t tclass=dir
Why would mailman listinfo be searching /var/log directory?
Well, I get the same errors with mailmanctl:
./mailmanctl status
yields no output, and the following errors: Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied { read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts ino=5 scontext=root:system_r:mailman_mail_t tcontext=root:object_r:devpts_t tclass=chr_file Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied { search } for pid=20837 comm="mailmanctl" name="run" dev=sda1 ino=1294372 scontext=root:system_r:mailman_mail_t tcontext=system_u:object_r:var_run_t tclass=dir Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied { setgid } for pid=20837 comm="mailmanctl" capability=6 scontext=root:system_r:mailman_mail_t tcontext=root:system_r:mailman_mail_t tclass=capability
However, if I comment out:
from Mailman.Logging.Syslog import syslog
in the mailmanctl script, all is well:
# ./mailmanctl status mailman (pid 17677) is running...
and no error messages. I would assume the same is true with the cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
Regards, Tim
Yes. submit a bug. Although generating these in FC4 would be far more interesting. Also do these AVC messages cause problems or are they just being reported. No output from the script is fixed in FC4.
On Wed, Oct 19, 2005 at 10:31:36PM -0400, Daniel J Walsh wrote:
Tim Fenn wrote:
On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
Tim Fenn wrote:
I recently installed mailman on my FC3 box (using the redhat based RPMs), and it seems to be working just fine, except for the numerous avc messages it cranks out whenever I run one of the cgi scripts associated with mailman (e.g. via the web interface):
Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied { search } for pid=18761 comm="listinfo" name="run" dev=sda1 ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_ u:object_r:var_run_t tclass=dir
Why would mailman listinfo be searching /var/log directory?
Well, I get the same errors with mailmanctl:
./mailmanctl status
yields no output, and the following errors: Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied { read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts ino=5 scontext=root:system_r:mailman_mail_t tcontext=root:object_r:devpts_t tclass=chr_file Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied { search } for pid=20837 comm="mailmanctl" name="run" dev=sda1 ino=1294372 scontext=root:system_r:mailman_mail_t tcontext=system_u:object_r:var_run_t tclass=dir Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied { setgid } for pid=20837 comm="mailmanctl" capability=6 scontext=root:system_r:mailman_mail_t tcontext=root:system_r:mailman_mail_t tclass=capability
However, if I comment out:
from Mailman.Logging.Syslog import syslog
in the mailmanctl script, all is well:
# ./mailmanctl status mailman (pid 17677) is running...
and no error messages. I would assume the same is true with the cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
Regards, Tim
Yes. submit a bug. Although generating these in FC4 would be far more interesting. Also do these AVC messages cause problems or are they just being reported. No output from the script is fixed in FC4.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171265
I tested mailman on a FC4 machine, no problems. Seemed to work as expected - no errors.
The AVC messages don't prevent mailman from working - I can make lists and so forth (although some scripts, like mailmanctl, don't work), but I haven't done extensive testing...
Hope this helps, Tim
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Tim Fenn