Re: mailman doesn't receive messages from sendmail on fresh F8 install

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2008-02-19 at 17:03 -0500, Daniel J Walsh wrote:
> Check to see if the relabel worked without the module
> 
> # semodule -r mymailman
> 
> Now try it again.  This should work without AVC messages

Interestingly, this does work and doesn't work, but it fails at a later
stage than it used to.  What does this mean?  The message appears to get
delivered, but I also get an selinux complaint referring to the mail
spool file:

Summary
    SELinux is preventing /usr/lib/mailman/mail/mailman (mailman_mail_t)
"read"
    to /var/spool/mqueue/dfm1K3MwNg031190 (mqueue_spool_t).

Detailed Description
    SELinux denied access requested by /usr/lib/mailman/mail/mailman. It
is not
    expected that this access is required
by /usr/lib/mailman/mail/mailman and
    this access may signal an intrusion attempt. It is also possible
that the
    specific version or configuration of the application is causing it
to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could
try to
    restore the default system file context for
    /var/spool/mqueue/dfm1K3MwNg031190, restorecon -v
    /var/spool/mqueue/dfm1K3MwNg031190 If this does not work, there is
currently
    no automatic way to allow this access. Instead,  you can generate a
local
    policy module to allow this access - see
http://fedora.redhat.com/docs
    /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
    altogether. Disabling SELinux protection is not recommended. Please
file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Additional Information        

Source Context                system_u:system_r:mailman_mail_t:s0
Target Context                system_u:object_r:mqueue_spool_t:s0
Target Objects                /var/spool/mqueue/dfm1K3MwNg031190
[ file ]
Affected RPM Packages         mailman-2.1.9-8.2.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-84.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     kilroy.chi.il.us
Platform                      Linux kilroy.chi.il.us 2.6.23.15-137.fc8
#1 SMP
                              Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count                   1
First Seen                    Tue 19 Feb 2008 09:22:58 PM CST
Last Seen                     Tue 19 Feb 2008 09:22:58 PM CST
Local ID                      c52fd5cd-781f-4178-ae56-dd979cb54ab6
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=mailman dev=dm-2 egid=41 euid=8
exe=/usr/lib/mailman/mail/mailman exit=0 fsgid=41 fsuid=8 gid=12 items=0
path=/var/spool/mqueue/dfm1K3MwNg031190 pid=31193
scontext=system_u:system_r:mailman_mail_t:s0 sgid=41
subj=system_u:system_r:mailman_mail_t:s0 suid=8 tclass=file
tcontext=system_u:object_r:mqueue_spool_t:s0 tty=(none) uid=8




Summary
    SELinux is preventing /usr/lib/mailman/mail/mailman (mailman_mail_t)
"read"
    to /var/spool/mqueue/dfm1K3MwNg031190 (mqueue_spool_t).

Detailed Description
    SELinux denied access requested by /usr/lib/mailman/mail/mailman. It
is not
    expected that this access is required
by /usr/lib/mailman/mail/mailman and
    this access may signal an intrusion attempt. It is also possible
that the
    specific version or configuration of the application is causing it
to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could
try to
    restore the default system file context for
    /var/spool/mqueue/dfm1K3MwNg031190, restorecon -v
    /var/spool/mqueue/dfm1K3MwNg031190 If this does not work, there is
currently
    no automatic way to allow this access. Instead,  you can generate a
local
    policy module to allow this access - see
http://fedora.redhat.com/docs
    /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
    altogether. Disabling SELinux protection is not recommended. Please
file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Additional Information        

Source Context                system_u:system_r:mailman_mail_t:s0
Target Context                system_u:object_r:mqueue_spool_t:s0
Target Objects                /var/spool/mqueue/dfm1K3MwNg031190
[ file ]
Affected RPM Packages         mailman-2.1.9-8.2.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-84.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     kilroy.chi.il.us
Platform                      Linux kilroy.chi.il.us 2.6.23.15-137.fc8
#1 SMP
                              Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count                   1
First Seen                    Tue 19 Feb 2008 09:22:58 PM CST
Last Seen                     Tue 19 Feb 2008 09:22:58 PM CST
Local ID                      c52fd5cd-781f-4178-ae56-dd979cb54ab6
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=mailman dev=dm-2 egid=41 euid=8
exe=/usr/lib/mailman/mail/mailman exit=0 fsgid=41 fsuid=8 gid=12 items=0
path=/var/spool/mqueue/dfm1K3MwNg031190 pid=31193
scontext=system_u:system_r:mailman_mail_t:s0 sgid=41
subj=system_u:system_r:mailman_mail_t:s0 suid=8 tclass=file
tcontext=system_u:object_r:mqueue_spool_t:s0 tty=(none) uid=8


If I repeat the procedure from earlier, I get a longer mymailman.te file
that contains the following:


module mymailman2 1.0;

require {
	type sendmail_t;
	type mailman_mail_t;
	type mailman_log_t;
	type mailman_data_t;
	type mqueue_spool_t;
	class unix_stream_socket { read write };
	class dir { write remove_name search add_name };
	class file { write rename getattr read create append };
}

#============= mailman_mail_t ==============
allow mailman_mail_t mqueue_spool_t:file { read write };
allow mailman_mail_t sendmail_t:unix_stream_socket { read write };

#============= sendmail_t ==============
allow sendmail_t mailman_data_t:dir { write remove_name add_name };
allow sendmail_t mailman_data_t:file { write rename getattr create };
allow sendmail_t mailman_log_t:dir search;
allow sendmail_t mailman_log_t:file { read getattr append };

It appears that I don't need all of these rules.  Looking at the two
files, I see a *.pp file that appears to be a binary file and a *.te
file that is human readable.  But I'm not sure how to create a policy
file that's just the text file.

I also don't know why mailman wants access to the spool file, but with
the above I get no complaints when I send mail to the list.  Without the
above I still get a complaint, although the mail appears to get
delivered OK.

	Eddie

-- 
Edward Kuns <ekuns@xxxxxxxxxxxxxxxx>

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux