mailman cgi-bin denied search

Tim Fenn fenn at stanford.edu
Thu Oct 20 06:10:21 UTC 2005 

On Wed, Oct 19, 2005 at 10:31:36PM -0400, Daniel J Walsh wrote:
> Tim Fenn wrote:
> >On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
> >  
> >>Tim Fenn wrote:
> >>    
> >>>I recently installed mailman on my FC3 box (using the redhat based
> >>>RPMs), and it seems to be working just fine, except for the numerous
> >>>avc messages it cranks out whenever I run one of the cgi scripts
> >>>associated with mailman (e.g. via the web interface):
> >>>
> >>>Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:  denied
> >>>{ search } for  pid=18761 comm="listinfo" name="run" dev=sda1
> >>>ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
> >>>u:object_r:var_run_t tclass=dir
> >>>
> >>>      
> >>Why would mailman listinfo be searching /var/log directory?
> >>
> >>    
> >
> >Well, I get the same errors with mailmanctl:
> >
> >./mailmanctl status
> >
> >yields no output, and the following errors:
> >Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc:  denied
> >{ read write } for  pid=20837 comm="mailmanctl" name="3" dev=devpts
> >ino=5 scontext=root:system_r:mailman_mail_t
> >tcontext=root:object_r:devpts_t tclass=chr_file
> >Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc:  denied
> >{ search } for  pid=20837 comm="mailmanctl" name="run" dev=sda1
> >ino=1294372 scontext=root:system_r:mailman_mail_t
> >tcontext=system_u:object_r:var_run_t tclass=dir
> >Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc:  denied
> >{ setgid } for  pid=20837 comm="mailmanctl" capability=6
> >scontext=root:system_r:mailman_mail_t
> >tcontext=root:system_r:mailman_mail_t tclass=capability
> >
> >However, if I comment out:
> >
> >from Mailman.Logging.Syslog import syslog
> >
> >in the mailmanctl script, all is well:
> >
> ># ./mailmanctl status
> >mailman (pid 17677) is running...
> >
> >and no error messages.  I would assume the same is true with the
> >cgi-bin scripts, such as listinfo.  Should I file a bugzilla report?
> >
> >Regards,
> >Tim
> >  
> Yes.  submit a bug.   Although generating these in FC4 would be far more 
> interesting.  Also do these AVC messages cause problems or are they just 
> being reported.  No output from the script is fixed in FC4.
> 

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171265

I tested mailman on a FC4 machine, no problems.  Seemed to work as
expected - no errors.

The AVC messages don't prevent mailman from working - I can make lists
and so forth (although some scripts, like mailmanctl, don't work),
but I haven't done extensive testing...

Hope this helps,
Tim

More information about the fedora-selinux-list mailing list