Mailman/Python issues with SELinux

David Hoffman dhoffman2004 at gmail.com
Sun Apr 10 15:07:32 UTC 2005 

OK, here's one that I can't seem to figure out. Usually when I see log
entries like this, the fix is to be sure that the latest version of
selinux_policy_targetted is applied, and/or run restorecon against the
file being called. But at 4:02am, Mailman is attempting to call Python
to execute something, and this causes the following log entries in my
messages log:

Apr 10 04:02:27 master kernel: audit(1113123747.955:0): avc:  denied 
{ dac_override } for  pid=17159 exe=/usr/bin/python capability=1
scontext=system_u:system_r:mailman_mail_t
tcontext=system_u:system_r:mailman_mail_t tclass=capability
Apr 10 04:02:27 master kernel: audit(1113123747.956:0): avc:  denied 
{ setgid } for  pid=17159 exe=/usr/bin/python capability=6
scontext=system_u:system_r:mailman_mail_t
tcontext=system_u:system_r:mailman_mail_t tclass=capability
Apr 10 04:02:27 master kernel: audit(1113123747.956:0): avc:  denied 
{ setuid } for  pid=17159 exe=/usr/bin/python capability=7
scontext=system_u:system_r:mailman_mail_t
tcontext=system_u:system_r:mailman_mail_t tclass=capability
Apr 10 04:02:27 master kernel: audit(1113123747.969:0): avc:  denied 
{ signal } for  pid=17159 exe=/usr/bin/python
scontext=system_u:system_r:mailman_mail_t
tcontext=root:system_r:unconfined_t tclass=process

If I check the security context of /usr/bin/python, here is what I get:
-rwxr-xr-x  2 system_u:object_r:bin_t          root root 5396 Feb  2
11:22 python

If I run restorecon /usr/bin/python, and then check the context again,
nothing changes.

I know there is a way to create a policy from these errors, and then
apply the policy to the system, but I would have thought that since my
Mailman and Python installations were from the supplied RPM packages,
and since I wasn't manually compiling them, then the policies that are
in place should already be there.

If anyone can give me a heads up about why this is happening, I would
appreciate it.

Thank you.


-- 

David
Registered Linux User 383030 (since everyone else was doing it 8-)
-----------------------------------------------------------------------
There are only 10 kinds of people in this world,
those who understand binary, and those who don't.

More information about the fedora-list mailing list