Running strict/enforcing, latest packages from Dan's tree.
Argh... mailman again.
Here's the avc:
Sep 15 20:40:02 fedora kernel: audit(1095306002.105:0): avc: denied { getattr } for pid=20117 exe=/usr/bin/python path=/var/mailman/pythonlib/korean/__init__.pyc dev=hda2 ino=444330 scontext=system_u:system_r:mailman_queue_t tcontext=system_u:object_r:var_t tclass=file
occurs every 5 minutes (so generates lots of error'ed emails). Mailman requires python 'stuff' from /var/mailman/pythonlib and from /var/mailman/Mailman.
I can think of 2 possible fixes:
1. Explicitly allow mailman_queue_t to read var_t:
--- mailman.te 2004-09-15 12:53:30.000000000 -0700 +++ /etc/selinux/strict/src-1.17.14-1.patched/policy/domains/program/mailman.te2004-09-14 16:36:43.000000000 -0700 @@ -31,7 +31,7 @@ can_network(mailman_$1_t) can_ypbind(mailman_$1_t) allow mailman_$1_t self:unix_stream_socket create_socket_perms; -allow mailman_$1_t var_t:dir r_dir_perms; +r_dir_file(mailman_$1_t, var_t) ')
mailman_domain(queue, `, auth_chkpwd')
or 2. by relabeling the .py, .pyc and .pyo files in /var/mailman/pythonlib and /var/mailman/Mailman as shlib_t (or something else?) i.e. adding this to mailman.fc: /var/mailman/pythonlib(/.*)?/.*.py([co])? -- system_u:object_r:shlib_t /var/mailman/Mailman(/.*)?/.*.py([co])? -- system_u:object_r:shlib_t
I'm not sure that shlib_t is correct. (Should it be mailman_queue_t?) But I noticed an entry in types.fc for .so files in the pythonlib tree, and copied that.
tom
On Wed, 2004-09-15 at 20:53 -0700, Tom London wrote:
Running strict/enforcing, latest packages from Dan's tree.
Argh... mailman again.
Here's the avc:
Sep 15 20:40:02 fedora kernel: audit(1095306002.105:0): avc: denied { getattr } for pid=20117 exe=/usr/bin/python path=/var/mailman/pythonlib/korean/__init__.pyc dev=hda2 ino=444330 scontext=system_u:system_r:mailman_queue_t tcontext=system_u:object_r:var_t tclass=file
occurs every 5 minutes (so generates lots of error'ed emails). Mailman requires python 'stuff' from /var/mailman/pythonlib and from /var/mailman/Mailman.
Eww. Why does mailman put Python libraries there? They should go in /usr/lib/python2.3/site-packages. I think simply moving them there would make them lib_t which should fix the problem.
I would file a bug on our mailman package.
Done:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=132732
On Thu, 16 Sep 2004 00:07:33 -0400, Colin Walters walters@redhat.com wrote:
On Wed, 2004-09-15 at 20:53 -0700, Tom London wrote:
Running strict/enforcing, latest packages from Dan's tree.
Argh... mailman again.
Here's the avc:
Sep 15 20:40:02 fedora kernel: audit(1095306002.105:0): avc: denied { getattr } for pid=20117 exe=/usr/bin/python path=/var/mailman/pythonlib/korean/__init__.pyc dev=hda2 ino=444330 scontext=system_u:system_r:mailman_queue_t tcontext=system_u:object_r:var_t tclass=file
occurs every 5 minutes (so generates lots of error'ed emails). Mailman requires python 'stuff' from /var/mailman/pythonlib and from /var/mailman/Mailman.
Eww. Why does mailman put Python libraries there? They should go in /usr/lib/python2.3/site-packages. I think simply moving them there would make them lib_t which should fix the problem.
I would file a bug on our mailman package.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Colin's suggestion of a bugzilla about file locations is good.
Also you need the attached patch to the policy. But it still won't work, even more needs to be done.
selinux@lists.fedoraproject.org