mailman doesn't receive messages from sendmail on fresh F8 install

Daniel J Walsh dwalsh at redhat.com
Tue Feb 19 14:55:11 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edward Kuns wrote:
> I freshly installed F8 on a new box, then copied the mailman and
> sendmail configuration over from the old box.  I made sure everything
> was labeled correctly with "restorecon -r -v /etc" and the same for /var
> where mailman lives.
> 
> The web pages work, but if I try to send a message to any list, I get
> SELinux alerts that prevent the message from going through.  I don't
> believe I was using selinux on the old machine.  I know I could just set
> selinux to permissive mode and this would probably work, but I'd rather
> understand what the problem is and fix it.
> 
> Below are the selinux complaints generated from trying to send to the
> mailman test list on my server:
> 
> Any ideas on what I can do to fix this?  I've been googling for a couple
> hours and haven't found anything that fits this situation exactly.
> 
>       Thanks
> 
>          Eddie
> 
> 
> Summary
>     SELinux is preventing python (sendmail_t) "search" to <Unknown>
>     (mailman_log_t).
> 
> Detailed Description
>     SELinux denied access requested by python. It is not expected that
> this
>     access is required by python and this access may signal an intrusion
>     attempt. It is also possible that the specific version or
> configuration of
>     the application is causing it to require additional access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could
> try to
>     restore the default system file context for <Unknown>, restorecon -v
>     <Unknown> If this does not work, there is currently no automatic way
> to
>     allow this access. Instead,  you can generate a local policy module
> to allow
>     this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
>     Or you can disable SELinux protection altogether. Disabling SELinux
>     protection is not recommended. Please file a
>     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
> 
> Additional Information        
> 
> Source Context                system_u:system_r:sendmail_t:s0
> Target Context                system_u:object_r:mailman_log_t:s0
> Target Objects                None [ dir ]
> Affected RPM Packages         
> Policy RPM                    selinux-policy-3.0.8-84.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     kilroy.chi.il.us
> Platform                      Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
>                               Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count                   15
> First Seen                    Mon 18 Feb 2008 09:18:28 AM CST
> Last Seen                     Mon 18 Feb 2008 01:06:39 PM CST
> Local ID                      78d260f8-f1d3-49b3-bea6-bc0cc400735c
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { search } for comm=python dev=dm-2 egid=41 euid=8
> exe=/usr/bin/python exit=-13 fsgid=41 fsuid=8 gid=41 items=0
> name=mailman
> pid=12198 scontext=system_u:system_r:sendmail_t:s0 sgid=41
> subj=system_u:system_r:sendmail_t:s0 suid=8 tclass=dir
> tcontext=system_u:object_r:mailman_log_t:s0 tty=(none) uid=8
> 
> 
> Summary
>     SELinux is preventing python (sendmail_t) "getattr" to
>     /var/lib/mailman/lists/mailman/config.pck (mailman_data_t).
> 
> Detailed Description
>     SELinux denied access requested by python. It is not expected that
> this
>     access is required by python and this access may signal an intrusion
>     attempt. It is also possible that the specific version or
> configuration of
>     the application is causing it to require additional access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could
> try to
>     restore the default system file context for
>     /var/lib/mailman/lists/mailman/config.pck, restorecon -v
>     /var/lib/mailman/lists/mailman/config.pck If this does not work,
> there is
>     currently no automatic way to allow this access. Instead,  you can
> generate
>     a local policy module to allow this access - see
>     http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
>     SELinux protection altogether. Disabling SELinux protection is not
>     recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>     against this package.
> 
> Additional Information        
> 
> Source Context                system_u:system_r:sendmail_t:s0
> Target Context                system_u:object_r:mailman_data_t:s0
> Target Objects                /var/lib/mailman/lists/mailman/config.pck
> [ file ]
> Affected RPM Packages         
> Policy RPM                    selinux-policy-3.0.8-84.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     kilroy.chi.il.us
> Platform                      Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
>                               Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count                   1
> First Seen                    Mon 18 Feb 2008 01:06:39 PM CST
> Last Seen                     Mon 18 Feb 2008 01:06:39 PM CST
> Local ID                      5d954998-3826-4af2-9569-0295ae134c27
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { getattr } for comm=python dev=dm-2 egid=41 euid=8
> exe=/usr/bin/python exit=-13 fsgid=41 fsuid=8 gid=41 items=0
> path=/var/lib/mailman/lists/mailman/config.pck pid=12198
> scontext=system_u:system_r:sendmail_t:s0 sgid=41
> subj=system_u:system_r:sendmail_t:s0 suid=8 tclass=file
> tcontext=system_u:object_r:mailman_data_t:s0 tty=(none) uid=8
> 
> 
> Summary
>     SELinux is preventing python (sendmail_t) "getattr" to
>     /var/lib/mailman/lists/mailman/config.pck.last (mailman_data_t).
> 
> Detailed Description
>     SELinux denied access requested by python. It is not expected that
> this
>     access is required by python and this access may signal an intrusion
>     attempt. It is also possible that the specific version or
> configuration of
>     the application is causing it to require additional access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could
> try to
>     restore the default system file context for
>     /var/lib/mailman/lists/mailman/config.pck.last, restorecon -v
>     /var/lib/mailman/lists/mailman/config.pck.last If this does not
> work, there
>     is currently no automatic way to allow this access. Instead,  you
> can
>     generate a local policy module to allow this access - see
>     http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
>     SELinux protection altogether. Disabling SELinux protection is not
>     recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>     against this package.
> 
> Additional Information        
> 
> Source Context                system_u:system_r:sendmail_t:s0
> Target Context                system_u:object_r:mailman_data_t:s0
> Target
> Objects                /var/lib/mailman/lists/mailman/config.pck.last [
>                               file ]
> Affected RPM Packages         
> Policy RPM                    selinux-policy-3.0.8-84.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     kilroy.chi.il.us
> Platform                      Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
>                               Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count                   1
> First Seen                    Mon 18 Feb 2008 01:06:39 PM CST
> Last Seen                     Mon 18 Feb 2008 01:06:39 PM CST
> Local ID                      37d2b949-06bf-4cb0-845e-6aa41a16076c
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { getattr } for comm=python dev=dm-2 egid=41 euid=8
> exe=/usr/bin/python exit=-13 fsgid=41 fsuid=8 gid=41 items=0
> path=/var/lib/mailman/lists/mailman/config.pck.last pid=12198
> scontext=system_u:system_r:sendmail_t:s0 sgid=41
> subj=system_u:system_r:sendmail_t:s0 suid=8 tclass=file
> tcontext=system_u:object_r:mailman_data_t:s0 tty=(none) uid=8
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
THese look liked leaked file descriptors from mailman, but not sure they
are preventing sendmail from running.  Could you put the machine into
permissive mode and verify the mailman is working.

Did you change the configuration to use sendmail rather then using the
default internal mechanism of mailman to send mail.  (I am not a mailman
expert, so I am relaying questions from some co-workers.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke67c8ACgkQrlYvE4MpobONFgCfRDICXR/sIo2gwQSyGpvN/iAX
hpQAn0OBj15Y4P8AZIDWgu4KXUvrXabA
=JGyF
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list