On Mon, 2006-05-22 at 20:17 -0400, Todd Zullinger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I wrote:
> > When I get a moment I'll boot to FC5 and try changing the context to
> > see what happens.
>
> Changing the context on /usr/lib/mailman/mail/mailman from lib_t to
> bin_t does get things further, and on to the next set of denials.
>
> The avc messages:
>
> May 22 20:06:36 localhost kernel: audit(1148342796.414:35): avc: denied { create } for pid=9382 comm="python" scontext=user_u:system_r:postfix_local_t:s0 tcontext=user_u:system_r:postfix_local_t:s0 tclass=netlink_route_socket
I get lots of these for webalizer run from cron, which I queried about
yesterday. I don't know what this is.
> May 22 20:06:36 localhost kernel: audit(1148342796.578:36): avc: denied { search } for pid=9382 comm="python" name="log" dev=sda2 ino=489147 scontext=user_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
Looks like mailman trying to read the log file directory. May need a
policy change for this - I needed something similar for procmail.
> May 22 20:06:36 localhost kernel: audit(1148342796.582:37): avc: denied { write } for pid=9382 comm="python" name="in" dev=sda2 ino=491751 scontext=user_u:system_r:postfix_local_t:s0 tcontext=user_u:object_r:mailman_data_t:s0 tclass=dir
Failed trying to write new file to directory /var/spool/mailman/in.
I wonder if the mailman policy was written specifically with sendmail in
mind rather than postfix?
> The postfix messages:
>
> May 22 20:06:36 localhost postfix/pickup[9212]: 4CD6513687C: uid=500 from=<tmz>
> May 22 20:06:36 localhost postfix/cleanup[9379]: 4CD6513687C: message-id=<20060523000636.GE9258@xxxxxxxxxxxxxxxxxxxxx>
> May 22 20:06:36 localhost postfix/qmgr[9213]: 4CD6513687C: from=<tmz@xxxxxxxxxxxxxxxxxxxxx>, size=463, nrcpt=1 (queue active)
> May 22 20:06:36 localhost postfix/local[9381]: 4CD6513687C: to=<pgp-test@xxxxxxxxxxxxxxxxxxxxx>, relay=local, delay=0, status=bounced (Command died with status 1: "/usr/lib/mailman/mail/mailman post pgp-test". Command output: Traceback (most recent call last): File "/usr/lib/mailman/scripts/post", line 69, in ? main() File "/usr/lib/mailman/scripts/post", line 64, in main tolist=1, _plaintext=1) File "/usr/lib/mailman/Mailman/Queue/Switchboard.py", line 126, in enqueue fp = open(tmpfile, 'w') IOError: [Errno 13] Permission denied: '/var/spool/mailman/in/1148342796.5827579+b203c4871f8a8269deaef98890980ed0bff9cedb.pck.tmp' )
> May 22 20:06:36 localhost postfix/cleanup[9379]: 989B4136A2C: message-id=<20060523000636.989B4136A2C@xxxxxxxxxxxxxxxxxxxxx>
>
> I'm not sure whether it's worth trying to chase every denial down this
> path or if there is a better fix that can be applied.
I'm not sure. Running in permissive mode for a while should show up all
the denials you'll come across, but they might not all need allowing,
and if something has the wrong label, as appears to be the case
with /usr/lib/mailman/mail/mailman, then the denials won't be useful
anyway.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
