-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Kuns wrote: > On Tue, 2008-02-19 at 17:03 -0500, Daniel J Walsh wrote: >> Check to see if the relabel worked without the module >> >> # semodule -r mymailman >> >> Now try it again. This should work without AVC messages > > Interestingly, this does work and doesn't work, but it fails at a later > stage than it used to. What does this mean? The message appears to get > delivered, but I also get an selinux complaint referring to the mail > spool file: > Could mean that sendmail has an open file descriptor to a file in the mqueue_spool and it leaked it to mailman. I don't think mailman reads /var/spool/mqueue/dfm1K3MwNg031190 directly. > Summary > SELinux is preventing /usr/lib/mailman/mail/mailman (mailman_mail_t) > "read" > to /var/spool/mqueue/dfm1K3MwNg031190 (mqueue_spool_t). > > Detailed Description > SELinux denied access requested by /usr/lib/mailman/mail/mailman. It > is not > expected that this access is required > by /usr/lib/mailman/mail/mailman and > this access may signal an intrusion attempt. It is also possible > that the > specific version or configuration of the application is causing it > to > require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could > try to > restore the default system file context for > /var/spool/mqueue/dfm1K3MwNg031190, restorecon -v > /var/spool/mqueue/dfm1K3MwNg031190 If this does not work, there is > currently > no automatic way to allow this access. Instead, you can generate a > local > policy module to allow this access - see > http://fedora.redhat.com/docs > /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection > altogether. Disabling SELinux protection is not recommended. Please > file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this > package. > > Additional Information > > Source Context system_u:system_r:mailman_mail_t:s0 > Target Context system_u:object_r:mqueue_spool_t:s0 > Target Objects /var/spool/mqueue/dfm1K3MwNg031190 > [ file ] > Affected RPM Packages mailman-2.1.9-8.2.fc8 [application] > Policy RPM selinux-policy-3.0.8-84.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name kilroy.chi.il.us > Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8 > #1 SMP > Sun Feb 10 17:48:34 EST 2008 i686 i686 > Alert Count 1 > First Seen Tue 19 Feb 2008 09:22:58 PM CST > Last Seen Tue 19 Feb 2008 09:22:58 PM CST > Local ID c52fd5cd-781f-4178-ae56-dd979cb54ab6 > Line Numbers > > Raw Audit Messages > > avc: denied { read } for comm=mailman dev=dm-2 egid=41 euid=8 > exe=/usr/lib/mailman/mail/mailman exit=0 fsgid=41 fsuid=8 gid=12 items=0 > path=/var/spool/mqueue/dfm1K3MwNg031190 pid=31193 > scontext=system_u:system_r:mailman_mail_t:s0 sgid=41 > subj=system_u:system_r:mailman_mail_t:s0 suid=8 tclass=file > tcontext=system_u:object_r:mqueue_spool_t:s0 tty=(none) uid=8 > > > > > Summary > SELinux is preventing /usr/lib/mailman/mail/mailman (mailman_mail_t) > "read" > to /var/spool/mqueue/dfm1K3MwNg031190 (mqueue_spool_t). > > Detailed Description > SELinux denied access requested by /usr/lib/mailman/mail/mailman. It > is not > expected that this access is required > by /usr/lib/mailman/mail/mailman and > this access may signal an intrusion attempt. It is also possible > that the > specific version or configuration of the application is causing it > to > require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could > try to > restore the default system file context for > /var/spool/mqueue/dfm1K3MwNg031190, restorecon -v > /var/spool/mqueue/dfm1K3MwNg031190 If this does not work, there is > currently > no automatic way to allow this access. Instead, you can generate a > local > policy module to allow this access - see > http://fedora.redhat.com/docs > /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection > altogether. Disabling SELinux protection is not recommended. Please > file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this > package. > > Additional Information > > Source Context system_u:system_r:mailman_mail_t:s0 > Target Context system_u:object_r:mqueue_spool_t:s0 > Target Objects /var/spool/mqueue/dfm1K3MwNg031190 > [ file ] > Affected RPM Packages mailman-2.1.9-8.2.fc8 [application] > Policy RPM selinux-policy-3.0.8-84.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name kilroy.chi.il.us > Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8 > #1 SMP > Sun Feb 10 17:48:34 EST 2008 i686 i686 > Alert Count 1 > First Seen Tue 19 Feb 2008 09:22:58 PM CST > Last Seen Tue 19 Feb 2008 09:22:58 PM CST > Local ID c52fd5cd-781f-4178-ae56-dd979cb54ab6 > Line Numbers > > Raw Audit Messages > > avc: denied { read } for comm=mailman dev=dm-2 egid=41 euid=8 > exe=/usr/lib/mailman/mail/mailman exit=0 fsgid=41 fsuid=8 gid=12 items=0 > path=/var/spool/mqueue/dfm1K3MwNg031190 pid=31193 > scontext=system_u:system_r:mailman_mail_t:s0 sgid=41 > subj=system_u:system_r:mailman_mail_t:s0 suid=8 tclass=file > tcontext=system_u:object_r:mqueue_spool_t:s0 tty=(none) uid=8 > > > If I repeat the procedure from earlier, I get a longer mymailman.te file > that contains the following: > > > module mymailman2 1.0; > > require { > type sendmail_t; > type mailman_mail_t; > type mailman_log_t; > type mailman_data_t; > type mqueue_spool_t; > class unix_stream_socket { read write }; > class dir { write remove_name search add_name }; > class file { write rename getattr read create append }; > } > > #============= mailman_mail_t ============== > allow mailman_mail_t mqueue_spool_t:file { read write }; > allow mailman_mail_t sendmail_t:unix_stream_socket { read write }; > > #============= sendmail_t ============== > allow sendmail_t mailman_data_t:dir { write remove_name add_name }; > allow sendmail_t mailman_data_t:file { write rename getattr create }; > allow sendmail_t mailman_log_t:dir search; > allow sendmail_t mailman_log_t:file { read getattr append }; > > It appears that I don't need all of these rules. Looking at the two > files, I see a *.pp file that appears to be a binary file and a *.te > file that is human readable. But I'm not sure how to create a policy > file that's just the text file. > > I also don't know why mailman wants access to the spool file, but with > the above I get no complaints when I send mail to the list. Without the > above I still get a complaint, although the mail appears to get > delivered OK. > > Eddie > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAke8J60ACgkQrlYvE4MpobORRgCfVr249LQxcjRHyIPwHhmovUV3 cbwAoMIXtY35qkG8qNLzpP8bpYNjfIuI =blTj -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
