crond/mailman, .... Rawhide issues....[FIX?]

Russell Coker russell at coker.com.au
Sat Aug 14 07:52:50 UTC 2004 

On Sat, 14 Aug 2004 03:59, "t l" <concert at europe.com> wrote:
> These changes seem to make crond/mailman happy:
>
> allow system_crond_t mailman_lock_t:dir rw_dir_perms;
> allow system_crond_t mailman_lock_t:file create_file_perms;
> allow system_crond_t mailman_log_t:file { append read };

The problem with this is that it removes the entire point of having a policy 
for mailman.

> Subject: Cron <mailman fedora> /usr/bin/python 
-S /var/mailman/cron/gate_news

Above is the real problem.  /usr/bin/python is run instead 
of /var/mailman/cron/gate_news.

I presume that python is specified on the command-line to give the -S option.  
From the python man page:
       -S     Disable  the  import  of  the module site and the site-dependent
              manipulations of sys.path that it entails.

If we make the first line of each python script be:
#!/usr/bin/python -S

Then the "/usr/bin/python -S" part can be removed and a domain_auto_trans() 
rule will take place and run things in the right domain.

Also the mailman.fc file was missing some things.  I've attached a revised 
version (untested) which should work better.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
# mailman list server
/var/log/mailman(/.*)?		   system_u:object_r:mailman_log_t
ifdef(`debian', `
/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
/usr/lib/mailman/cron/.*	-- system_u:object_r:mailman_queue_exec_t
/usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
/usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
/var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
/var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
/etc/cron\.daily/mailman 	-- system_u:object_r:mailman_queue_exec_t
/etc/cron\.monthly/mailman 	-- system_u:object_r:mailman_queue_exec_t
')
ifdef(`redhat', `
/var/mailman/cgi-bin/.*		-- system_u:object_r:mailman_cgi_exec_t
/var/mailman/data(/.*)?		   system_u:object_r:mailman_data_t
/var/mailman/locks(/.*)?	   system_u:object_r:mailman_lock_t
/var/mailman/cron		-d system_u:object_r:bin_t
/var/mailman/cron/.+		-- system_u:object_r:mailman_queue_exec_t
/var/mailman/archives(/.*)?	   system_u:object_r:mailman_archive_t
/var/mailman/scripts/mailman 	-- system_u:object_r:mailman_mail_exec_t
/var/mailman/bin/qrunner     	-- system_u:object_r:mailman_queue_exec_t
/var/mailman/cgi-bin/.* 	-- system_u:object_r:mailman_cgi_exec_t
/var/mailman/mail/mailman 	-- system_u:object_r:mailman_mail_exec_t
')

More information about the selinux mailing list