Running strict/enforcing, latest packages from Dan's tree.
Argh... mailman again.
Here's the avc:
Sep 15 20:40:02 fedora kernel: audit(1095306002.105:0): avc: denied { getattr } for pid=20117 exe=/usr/bin/python path=/var/mailman/pythonlib/korean/__init__.pyc dev=hda2 ino=444330 scontext=system_u:system_r:mailman_queue_t tcontext=system_u:object_r:var_t tclass=file
occurs every 5 minutes (so generates lots of error'ed emails). Mailman requires
python 'stuff' from /var/mailman/pythonlib and from /var/mailman/Mailman.
I can think of 2 possible fixes:
1. Explicitly allow mailman_queue_t to read var_t:
--- mailman.te 2004-09-15 12:53:30.000000000 -0700
+++ /etc/selinux/strict/src-1.17.14-1.patched/policy/domains/program/mailman.te2004-09-14 16:36:43.000000000 -0700
@@ -31,7 +31,7 @@
can_network(mailman_$1_t)
can_ypbind(mailman_$1_t)
allow mailman_$1_t self:unix_stream_socket create_socket_perms;
-allow mailman_$1_t var_t:dir r_dir_perms;
+r_dir_file(mailman_$1_t, var_t)
')
mailman_domain(queue, `, auth_chkpwd')
or
2. by relabeling the .py, .pyc and .pyo files in /var/mailman/pythonlib
and /var/mailman/Mailman as shlib_t (or something else?)
i.e. adding this to mailman.fc:
/var/mailman/pythonlib(/.*)?/.*\.py([co])? -- system_u:object_r:shlib_t
/var/mailman/Mailman(/.*)?/.*\.py([co])? -- system_u:object_r:shlib_t
I'm not sure that shlib_t is correct. (Should it be mailman_queue_t?) But I noticed an entry in types.fc for .so files in the pythonlib tree, and copied that.
tom
