Mailman/Python issues with SELinux

Daniel J Walsh dwalsh at redhat.com
Mon Apr 11 15:21:37 UTC 2005 

David Hoffman wrote:

>OK, here's one that I can't seem to figure out. Usually when I see log
>entries like this, the fix is to be sure that the latest version of
>selinux_policy_targetted is applied, and/or run restorecon against the
>file being called. But at 4:02am, Mailman is attempting to call Python
>to execute something, and this causes the following log entries in my
>messages log:
>
>Apr 10 04:02:27 master kernel: audit(1113123747.955:0): avc:  denied 
>{ dac_override } for  pid=17159 exe=/usr/bin/python capability=1
>scontext=system_u:system_r:mailman_mail_t
>tcontext=system_u:system_r:mailman_mail_t tclass=capability
>Apr 10 04:02:27 master kernel: audit(1113123747.956:0): avc:  denied 
>{ setgid } for  pid=17159 exe=/usr/bin/python capability=6
>scontext=system_u:system_r:mailman_mail_t
>tcontext=system_u:system_r:mailman_mail_t tclass=capability
>Apr 10 04:02:27 master kernel: audit(1113123747.956:0): avc:  denied 
>{ setuid } for  pid=17159 exe=/usr/bin/python capability=7
>scontext=system_u:system_r:mailman_mail_t
>tcontext=system_u:system_r:mailman_mail_t tclass=capability
>Apr 10 04:02:27 master kernel: audit(1113123747.969:0): avc:  denied 
>{ signal } for  pid=17159 exe=/usr/bin/python
>scontext=system_u:system_r:mailman_mail_t
>tcontext=root:system_r:unconfined_t tclass=process
>  
>
This says that mailman is trying to run a python script that is 
setuid/setgid and needs to override dac_protections.

Did you change your mail environment.  These are definitely not rules 
you want to add to your mailman.  What
ever it is trying to run, should either do a transition or not happen.  
Did you change your mailer?
A new patch to the kernel is coming to show the COMM line in addition to 
the exe so that we could figure out
which python script it is trying to execute.

>If I check the security context of /usr/bin/python, here is what I get:
>-rwxr-xr-x  2 system_u:object_r:bin_t          root root 5396 Feb  2
>11:22 python
>
>If I run restorecon /usr/bin/python, and then check the context again,
>nothing changes.
>
>I know there is a way to create a policy from these errors, and then
>apply the policy to the system, but I would have thought that since my
>Mailman and Python installations were from the supplied RPM packages,
>and since I wasn't manually compiling them, then the policies that are
>in place should already be there.
>
>If anyone can give me a heads up about why this is happening, I would
>appreciate it.
>
>Thank you.
>
>
>  
>


--

More information about the fedora-list mailing list