mailman cgi-bin denied search

Daniel J Walsh dwalsh at redhat.com
Thu Oct 20 02:31:36 UTC 2005 

Tim Fenn wrote:
> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>   
>> Tim Fenn wrote:
>>     
>>> I recently installed mailman on my FC3 box (using the redhat based
>>> RPMs), and it seems to be working just fine, except for the numerous
>>> avc messages it cranks out whenever I run one of the cgi scripts
>>> associated with mailman (e.g. via the web interface):
>>>
>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:  denied
>>> { search } for  pid=18761 comm="listinfo" name="run" dev=sda1
>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>> u:object_r:var_run_t tclass=dir
>>>
>>>       
>> Why would mailman listinfo be searching /var/log directory?
>>
>>     
>
> Well, I get the same errors with mailmanctl:
>
> ./mailmanctl status
>
> yields no output, and the following errors:
> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc:  denied
> { read write } for  pid=20837 comm="mailmanctl" name="3" dev=devpts
> ino=5 scontext=root:system_r:mailman_mail_t
> tcontext=root:object_r:devpts_t tclass=chr_file
> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc:  denied
> { search } for  pid=20837 comm="mailmanctl" name="run" dev=sda1
> ino=1294372 scontext=root:system_r:mailman_mail_t
> tcontext=system_u:object_r:var_run_t tclass=dir
> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc:  denied
> { setgid } for  pid=20837 comm="mailmanctl" capability=6
> scontext=root:system_r:mailman_mail_t
> tcontext=root:system_r:mailman_mail_t tclass=capability
>
> However, if I comment out:
>
> from Mailman.Logging.Syslog import syslog
>
> in the mailmanctl script, all is well:
>
> # ./mailmanctl status
> mailman (pid 17677) is running...
>
> and no error messages.  I would assume the same is true with the
> cgi-bin scripts, such as listinfo.  Should I file a bugzilla report?
>
> Regards,
> Tim
>   
Yes.  submit a bug.   Although generating these in FC4 would be far more 
interesting.  Also do these AVC messages cause problems or are they just 
being reported.  No output from the script is fixed in FC4.



--

More information about the fedora-selinux-list mailing list