Mailman/Postfix execute_no_trans denial

Todd Zullinger tmz at pobox.com
Mon May 22 20:54:32 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> On Sun, 2006-05-21 at 16:58 -0400, Todd Zullinger wrote:
[...]
>> Here's the avc denial I get:
>> 
>> audit(1148242843.454:41): avc:  denied  { execute_no_trans } for  pid=27763 comm="local" name="mailman" dev=sda2 ino=163878 scontext=user_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
>> 
>> I read a thread from a month or so back where another fellow was using
>> mailman and postfix, but he was using the postfix-to-mailman-2.1.py
>> script for integration.
> 
> This looks similar to issues I had running scripts from procmail. I
> wonder if the script you're running here should be bin_t rather than
> lib_t?

I supposed it might help if I posted the error from postfix. :)

May 21 15:28:35 localhost postfix/pickup[26079]: 8DBFC28076: uid=500 from=<tmz>
May 21 15:28:35 localhost postfix/cleanup[26290]: 8DBFC28076: message-id=<20060521192835.8DBFC28076 at localhost.localdomain>
May 21 15:28:35 localhost postfix/qmgr[26080]: 8DBFC28076: from=<tmz at localhost.localdomain>, size=325, nrcpt=1 (queue active)
May 21 15:28:35 localhost local[26399]: fatal: execvp /usr/lib/mailman/mail/mailman: Permission denied
May 21 15:28:36 localhost postfix/local[26291]: 8DBFC28076: to=<pgp-test at localhost.localdomain>, orig_to=<pgp-test>, relay=local, delay=1, status=bounced (Command died with status 1: "/usr/lib/mailman/mail/mailman post pgp-test")
M

Does this still seem similar to the procmail issue you were seeing
Paul?  I know that postfix tries to execute commands run via aliases
as the user which owns the alias file and I am guessing that's what's
causing the problem here.

Would changing /usr/lib/mailman/mail/mailman from lib_t to bin_t
negatively affect those using mailman with Sendmail as their MTA?

When I get a moment I'll boot to FC5 and try changing the context to
see what happens.

Thanks for the response.

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
The income tax created more criminals than any other single act of
government.
    -- Sen. Barry M. Goldwater, 1989

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkRyJQgmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1oRAwCgvTaIhXkbhs2tGOL/SB8oOYVizDAAoN72TPb6
GVSit9lb/WzfA0lmi6td
=2Vuv
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list