crond/mailman, .... Rawhide issues....[FIX?]
t l
concert at europe.com
Fri Aug 13 17:59:44 UTC 2004
These changes seem to make crond/mailman happy:
allow system_crond_t mailman_lock_t:dir rw_dir_perms;
allow system_crond_t mailman_lock_t:file create_file_perms;
allow system_crond_t mailman_log_t:file { append read };
tom
* From: Tom London <selinux comcast net>
Latest stuff from Rawhide: crond/mailman issues again....
Here is the email (I got lots of these!):
Subject: Cron <mailman fedora> /usr/bin/python -S /var/mailman/cron/gate_news
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/mailman>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=mailman>
X-Cron-Env: <USER=mailman>
Traceback (most recent call last):
File "/var/mailman/cron/gate_news", line 284, in ?
main()
File "/var/mailman/cron/gate_news", line 259, in main
lock.lock(timeout=0.5)
File "/var/mailman/Mailman/LockFile.py", line 243, in lock
self.__write()
File "/var/mailman/Mailman/LockFile.py", line 422, in __write
fp = open(self.__tmpfname, 'w')
IOError: [Errno 13] Permission denied: '/var/mailman/locks/gate_news.lock.fedora.XXX.3986.0'
Here are the AVCs:
Aug 13 08:35:01 fedora crond(pam_unix)[4065]: session opened for user mailman by (uid=0)
Aug 13 08:35:01 fedora crond(pam_unix)[4068]: session opened for user root by (uid=0)
Aug 13 08:35:02 fedora kernel: audit(1092411302.395:0): avc: denied { read append } for pid=4067 exe=/usr/bin/python name=error dev=hda2 ino=442471 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:mailman_log_t tclass=file
Aug 13 08:35:02 fedora kernel: audit(1092411302.397:0): avc: denied { write } for pid=4067 exe=/usr/bin/python name=locks dev=hda2 ino=442718 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:mailman_lock_t tclass=dir
Aug 13 08:35:02 fedora crond(pam_unix)[4068]: session closed for user root
Aug 13 08:35:04 fedora crond(pam_unix)[4065]: session closed for user mailman
audit2allow produces:
allow system_crond_t mailman_lock_t:dir { write };
allow system_crond_t mailman_log_t:file { append read };
That right, (or have I broken something else)?
tom
[BTW, booleans now get loaded. Neat!]
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
More information about the fedora-selinux-list
mailing list