mailman...

[Tom London]

Running strict/enforcing, latest packages from Dan's tree.

Argh... mailman again.

Here's the avc:

Sep 15 20:40:02 fedora kernel: audit(1095306002.105:0): avc:  denied  { 
getattr } for  pid=20117 exe=/usr/bin/python 
path=/var/mailman/pythonlib/korean/__init__.pyc dev=hda2 ino=444330 
scontext=system_u:system_r:mailman_queue_t 
tcontext=system_u:object_r:var_t tclass=file

occurs every 5 minutes (so generates lots of error'ed emails).  Mailman 
requires
python 'stuff' from /var/mailman/pythonlib and from /var/mailman/Mailman.

I can think of 2 possible fixes:

1.  Explicitly allow mailman_queue_t to read var_t:

--- mailman.te  2004-09-15 12:53:30.000000000 -0700
+++ 
/etc/selinux/strict/src-1.17.14-1.patched/policy/domains/program/mailman.te2004-09-14 
16:36:43.000000000 -0700
@@ -31,7 +31,7 @@
 can_network(mailman_$1_t)
 can_ypbind(mailman_$1_t)
 allow mailman_$1_t self:unix_stream_socket create_socket_perms;
-allow mailman_$1_t var_t:dir r_dir_perms;
+r_dir_file(mailman_$1_t, var_t)
 ')

 mailman_domain(queue, `, auth_chkpwd')

or
2. by relabeling the .py, .pyc and .pyo files in /var/mailman/pythonlib
and /var/mailman/Mailman as shlib_t (or something else?)
i.e. adding this to mailman.fc:
/var/mailman/pythonlib(/.*)?/.*\.py([co])?      -- 
system_u:object_r:shlib_t
/var/mailman/Mailman(/.*)?/.*\.py([co])?      -- system_u:object_r:shlib_t

I'm not sure that shlib_t is correct. (Should it be mailman_queue_t?)  
But I noticed an entry in types.fc for .so files in the pythonlib tree, 
and copied that.

tom