mailman cgi-bin denied search
Tim Fenn
fenn at stanford.edu
Thu Oct 20 06:10:21 UTC 2005
On Wed, Oct 19, 2005 at 10:31:36PM -0400, Daniel J Walsh wrote:
> Tim Fenn wrote:
> >On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
> >
> >>Tim Fenn wrote:
> >>
> >>>I recently installed mailman on my FC3 box (using the redhat based
> >>>RPMs), and it seems to be working just fine, except for the numerous
> >>>avc messages it cranks out whenever I run one of the cgi scripts
> >>>associated with mailman (e.g. via the web interface):
> >>>
> >>>Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
> >>>{ search } for pid=18761 comm="listinfo" name="run" dev=sda1
> >>>ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
> >>>u:object_r:var_run_t tclass=dir
> >>>
> >>>
> >>Why would mailman listinfo be searching /var/log directory?
> >>
> >>
> >
> >Well, I get the same errors with mailmanctl:
> >
> >./mailmanctl status
> >
> >yields no output, and the following errors:
> >Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
> >{ read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts
> >ino=5 scontext=root:system_r:mailman_mail_t
> >tcontext=root:object_r:devpts_t tclass=chr_file
> >Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
> >{ search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
> >ino=1294372 scontext=root:system_r:mailman_mail_t
> >tcontext=system_u:object_r:var_run_t tclass=dir
> >Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
> >{ setgid } for pid=20837 comm="mailmanctl" capability=6
> >scontext=root:system_r:mailman_mail_t
> >tcontext=root:system_r:mailman_mail_t tclass=capability
> >
> >However, if I comment out:
> >
> >from Mailman.Logging.Syslog import syslog
> >
> >in the mailmanctl script, all is well:
> >
> ># ./mailmanctl status
> >mailman (pid 17677) is running...
> >
> >and no error messages. I would assume the same is true with the
> >cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
> >
> >Regards,
> >Tim
> >
> Yes. submit a bug. Although generating these in FC4 would be far more
> interesting. Also do these AVC messages cause problems or are they just
> being reported. No output from the script is fixed in FC4.
>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171265
I tested mailman on a FC4 machine, no problems. Seemed to work as
expected - no errors.
The AVC messages don't prevent mailman from working - I can make lists
and so forth (although some scripts, like mailmanctl, don't work),
but I haven't done extensive testing...
Hope this helps,
Tim
More information about the selinux
mailing list