On Tue, 2008-02-19 at 17:03 -0500, Daniel J Walsh wrote:
> Check to see if the relabel worked without the module
>
> # semodule -r mymailman
>
> Now try it again. This should work without AVC messages
Interestingly, this does work and doesn't work, but it fails at a later
stage than it used to. What does this mean? The message appears to get
delivered, but I also get an selinux complaint referring to the mail
spool file:
Summary
SELinux is preventing /usr/lib/mailman/mail/mailman (mailman_mail_t)
"read"
to /var/spool/mqueue/dfm1K3MwNg031190 (mqueue_spool_t).
Detailed Description
SELinux denied access requested by /usr/lib/mailman/mail/mailman. It
is not
expected that this access is required
by /usr/lib/mailman/mail/mailman and
this access may signal an intrusion attempt. It is also possible
that the
specific version or configuration of the application is causing it
to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for
/var/spool/mqueue/dfm1K3MwNg031190, restorecon -v
/var/spool/mqueue/dfm1K3MwNg031190 If this does not work, there is
currently
no automatic way to allow this access. Instead, you can generate a
local
policy module to allow this access - see
http://fedora.redhat.com/docs
/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
altogether. Disabling SELinux protection is not recommended. Please
file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Additional Information
Source Context system_u:system_r:mailman_mail_t:s0
Target Context system_u:object_r:mqueue_spool_t:s0
Target Objects /var/spool/mqueue/dfm1K3MwNg031190
[ file ]
Affected RPM Packages mailman-2.1.9-8.2.fc8 [application]
Policy RPM selinux-policy-3.0.8-84.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name kilroy.chi.il.us
Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
#1 SMP
Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count 1
First Seen Tue 19 Feb 2008 09:22:58 PM CST
Last Seen Tue 19 Feb 2008 09:22:58 PM CST
Local ID c52fd5cd-781f-4178-ae56-dd979cb54ab6
Line Numbers
Raw Audit Messages
avc: denied { read } for comm=mailman dev=dm-2 egid=41 euid=8
exe=/usr/lib/mailman/mail/mailman exit=0 fsgid=41 fsuid=8 gid=12 items=0
path=/var/spool/mqueue/dfm1K3MwNg031190 pid=31193
scontext=system_u:system_r:mailman_mail_t:s0 sgid=41
subj=system_u:system_r:mailman_mail_t:s0 suid=8 tclass=file
tcontext=system_u:object_r:mqueue_spool_t:s0 tty=(none) uid=8
Summary
SELinux is preventing /usr/lib/mailman/mail/mailman (mailman_mail_t)
"read"
to /var/spool/mqueue/dfm1K3MwNg031190 (mqueue_spool_t).
Detailed Description
SELinux denied access requested by /usr/lib/mailman/mail/mailman. It
is not
expected that this access is required
by /usr/lib/mailman/mail/mailman and
this access may signal an intrusion attempt. It is also possible
that the
specific version or configuration of the application is causing it
to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for
/var/spool/mqueue/dfm1K3MwNg031190, restorecon -v
/var/spool/mqueue/dfm1K3MwNg031190 If this does not work, there is
currently
no automatic way to allow this access. Instead, you can generate a
local
policy module to allow this access - see
http://fedora.redhat.com/docs
/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
altogether. Disabling SELinux protection is not recommended. Please
file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Additional Information
Source Context system_u:system_r:mailman_mail_t:s0
Target Context system_u:object_r:mqueue_spool_t:s0
Target Objects /var/spool/mqueue/dfm1K3MwNg031190
[ file ]
Affected RPM Packages mailman-2.1.9-8.2.fc8 [application]
Policy RPM selinux-policy-3.0.8-84.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name kilroy.chi.il.us
Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
#1 SMP
Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count 1
First Seen Tue 19 Feb 2008 09:22:58 PM CST
Last Seen Tue 19 Feb 2008 09:22:58 PM CST
Local ID c52fd5cd-781f-4178-ae56-dd979cb54ab6
Line Numbers
Raw Audit Messages
avc: denied { read } for comm=mailman dev=dm-2 egid=41 euid=8
exe=/usr/lib/mailman/mail/mailman exit=0 fsgid=41 fsuid=8 gid=12 items=0
path=/var/spool/mqueue/dfm1K3MwNg031190 pid=31193
scontext=system_u:system_r:mailman_mail_t:s0 sgid=41
subj=system_u:system_r:mailman_mail_t:s0 suid=8 tclass=file
tcontext=system_u:object_r:mqueue_spool_t:s0 tty=(none) uid=8
If I repeat the procedure from earlier, I get a longer mymailman.te file
that contains the following:
module mymailman2 1.0;
require {
type sendmail_t;
type mailman_mail_t;
type mailman_log_t;
type mailman_data_t;
type mqueue_spool_t;
class unix_stream_socket { read write };
class dir { write remove_name search add_name };
class file { write rename getattr read create append };
}
#============= mailman_mail_t ==============
allow mailman_mail_t mqueue_spool_t:file { read write };
allow mailman_mail_t sendmail_t:unix_stream_socket { read write };
#============= sendmail_t ==============
allow sendmail_t mailman_data_t:dir { write remove_name add_name };
allow sendmail_t mailman_data_t:file { write rename getattr create };
allow sendmail_t mailman_log_t:dir search;
allow sendmail_t mailman_log_t:file { read getattr append };
It appears that I don't need all of these rules. Looking at the two
files, I see a *.pp file that appears to be a binary file and a *.te
file that is human readable. But I'm not sure how to create a policy
file that's just the text file.
I also don't know why mailman wants access to the spool file, but with
the above I get no complaints when I send mail to the list. Without the
above I still get a complaint, although the mail appears to get
delivered OK.
Eddie
--
Edward Kuns <ekuns@xxxxxxxxxxxxxxxx>
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
