Re: Mailman/Postfix execute_no_trans denial

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2006-05-22 at 20:17 -0400, Todd Zullinger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I wrote:
> > When I get a moment I'll boot to FC5 and try changing the context to
> > see what happens.
> 
> Changing the context on /usr/lib/mailman/mail/mailman from lib_t to
> bin_t does get things further, and on to the next set of denials.
> 
> The avc messages:
> 
> May 22 20:06:36 localhost kernel: audit(1148342796.414:35): avc:  denied  { create } for  pid=9382 comm="python" scontext=user_u:system_r:postfix_local_t:s0 tcontext=user_u:system_r:postfix_local_t:s0 tclass=netlink_route_socket

I get lots of these for webalizer run from cron, which I queried about
yesterday. I don't know what this is.

> May 22 20:06:36 localhost kernel: audit(1148342796.578:36): avc:  denied  { search } for  pid=9382 comm="python" name="log" dev=sda2 ino=489147 scontext=user_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir

Looks like mailman trying to read the log file directory. May need a
policy change for this - I needed something similar for procmail.

> May 22 20:06:36 localhost kernel: audit(1148342796.582:37): avc:  denied  { write } for  pid=9382 comm="python" name="in" dev=sda2 ino=491751 scontext=user_u:system_r:postfix_local_t:s0 tcontext=user_u:object_r:mailman_data_t:s0 tclass=dir

Failed trying to write new file to directory /var/spool/mailman/in.

I wonder if the mailman policy was written specifically with sendmail in
mind rather than postfix?

> The postfix messages:
> 
> May 22 20:06:36 localhost postfix/pickup[9212]: 4CD6513687C: uid=500 from=<tmz>
> May 22 20:06:36 localhost postfix/cleanup[9379]: 4CD6513687C: message-id=<20060523000636.GE9258@xxxxxxxxxxxxxxxxxxxxx>
> May 22 20:06:36 localhost postfix/qmgr[9213]: 4CD6513687C: from=<tmz@xxxxxxxxxxxxxxxxxxxxx>, size=463, nrcpt=1 (queue active)
> May 22 20:06:36 localhost postfix/local[9381]: 4CD6513687C: to=<pgp-test@xxxxxxxxxxxxxxxxxxxxx>, relay=local, delay=0, status=bounced (Command died with status 1: "/usr/lib/mailman/mail/mailman post pgp-test". Command output: Traceback (most recent call last):   File "/usr/lib/mailman/scripts/post", line 69, in ?     main()   File "/usr/lib/mailman/scripts/post", line 64, in main     tolist=1, _plaintext=1)   File "/usr/lib/mailman/Mailman/Queue/Switchboard.py", line 126, in enqueue     fp = open(tmpfile, 'w') IOError: [Errno 13] Permission denied: '/var/spool/mailman/in/1148342796.5827579+b203c4871f8a8269deaef98890980ed0bff9cedb.pck.tmp' )
> May 22 20:06:36 localhost postfix/cleanup[9379]: 989B4136A2C: message-id=<20060523000636.989B4136A2C@xxxxxxxxxxxxxxxxxxxxx>
> 
> I'm not sure whether it's worth trying to chase every denial down this
> path or if there is a better fix that can be applied.

I'm not sure. Running in permissive mode for a while should show up all
the denials you'll come across, but they might not all need allowing,
and if something has the wrong label, as appears to be the case
with /usr/lib/mailman/mail/mailman, then the denials won't be useful
anyway.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux