fedora-selinux February 2008 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: mailman doesn't receive messages from sendma

Re: mailman doesn't receive messages from sendmail on fresh F8 install

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Tue Feb 19 2008 - 14:55:11 GMT
To: Edward Kuns <ekuns@kilroy.chi.il.us>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edward Kuns wrote:
> I freshly installed F8 on a new box, then copied the mailman and
> sendmail configuration over from the old box. I made sure everything
> was labeled correctly with "restorecon -r -v /etc" and the same for /var
> where mailman lives.
>
> The web pages work, but if I try to send a message to any list, I get
> SELinux alerts that prevent the message from going through. I don't
> believe I was using selinux on the old machine. I know I could just set
> selinux to permissive mode and this would probably work, but I'd rather
> understand what the problem is and fix it.
>
> Below are the selinux complaints generated from trying to send to the
> mailman test list on my server:
>
> Any ideas on what I can do to fix this? I've been googling for a couple
> hours and haven't found anything that fits this situation exactly.
>
> Thanks
>
> Eddie
>
>
> Summary
> SELinux is preventing python (sendmail_t) "search" to <Unknown>
> (mailman_log_t).
>
> Detailed Description
> SELinux denied access requested by python. It is not expected that
> this
> access is required by python and this access may signal an intrusion
> attempt. It is also possible that the specific version or
> configuration of
> the application is causing it to require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could
> try to
> restore the default system file context for <Unknown>, restorecon -v
> <Unknown> If this does not work, there is currently no automatic way
> to
> allow this access. Instead, you can generate a local policy module
> to allow
> this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
> Or you can disable SELinux protection altogether. Disabling SELinux
> protection is not recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
>
> Additional Information
>
> Source Context system_u:system_r:sendmail_t:s0
> Target Context system_u:object_r:mailman_log_t:s0
> Target Objects None [ dir ]
> Affected RPM Packages
> Policy RPM selinux-policy-3.0.8-84.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name kilroy.chi.il.us
> Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
> Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count 15
> First Seen Mon 18 Feb 2008 09:18:28 AM CST
> Last Seen Mon 18 Feb 2008 01:06:39 PM CST
> Local ID 78d260f8-f1d3-49b3-bea6-bc0cc400735c
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { search } for comm=python dev=dm-2 egid=41 euid=8
> exe=/usr/bin/python exit=-13 fsgid=41 fsuid=8 gid=41 items=0
> name=mailman
> pid=12198 scontext=system_u:system_r:sendmail_t:s0 sgid=41
> subj=system_u:system_r:sendmail_t:s0 suid=8 tclass=dir
> tcontext=system_u:object_r:mailman_log_t:s0 tty=(none) uid=8
>
>
> Summary
> SELinux is preventing python (sendmail_t) "getattr" to
> /var/lib/mailman/lists/mailman/config.pck (mailman_data_t).
>
> Detailed Description
> SELinux denied access requested by python. It is not expected that
> this
> access is required by python and this access may signal an intrusion
> attempt. It is also possible that the specific version or
> configuration of
> the application is causing it to require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could
> try to
> restore the default system file context for
> /var/lib/mailman/lists/mailman/config.pck, restorecon -v
> /var/lib/mailman/lists/mailman/config.pck If this does not work,
> there is
> currently no automatic way to allow this access. Instead, you can
> generate
> a local policy module to allow this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
>
> Additional Information
>
> Source Context system_u:system_r:sendmail_t:s0
> Target Context system_u:object_r:mailman_data_t:s0
> Target Objects /var/lib/mailman/lists/mailman/config.pck
> [ file ]
> Affected RPM Packages
> Policy RPM selinux-policy-3.0.8-84.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name kilroy.chi.il.us
> Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
> Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count 1
> First Seen Mon 18 Feb 2008 01:06:39 PM CST
> Last Seen Mon 18 Feb 2008 01:06:39 PM CST
> Local ID 5d954998-3826-4af2-9569-0295ae134c27
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { getattr } for comm=python dev=dm-2 egid=41 euid=8
> exe=/usr/bin/python exit=-13 fsgid=41 fsuid=8 gid=41 items=0
> path=/var/lib/mailman/lists/mailman/config.pck pid=12198
> scontext=system_u:system_r:sendmail_t:s0 sgid=41
> subj=system_u:system_r:sendmail_t:s0 suid=8 tclass=file
> tcontext=system_u:object_r:mailman_data_t:s0 tty=(none) uid=8
>
>
> Summary
> SELinux is preventing python (sendmail_t) "getattr" to
> /var/lib/mailman/lists/mailman/config.pck.last (mailman_data_t).
>
> Detailed Description
> SELinux denied access requested by python. It is not expected that
> this
> access is required by python and this access may signal an intrusion
> attempt. It is also possible that the specific version or
> configuration of
> the application is causing it to require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could
> try to
> restore the default system file context for
> /var/lib/mailman/lists/mailman/config.pck.last, restorecon -v
> /var/lib/mailman/lists/mailman/config.pck.last If this does not
> work, there
> is currently no automatic way to allow this access. Instead, you
> can
> generate a local policy module to allow this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
>
> Additional Information
>
> Source Context system_u:system_r:sendmail_t:s0
> Target Context system_u:object_r:mailman_data_t:s0
> Target
> Objects /var/lib/mailman/lists/mailman/config.pck.last [
> file ]
> Affected RPM Packages
> Policy RPM selinux-policy-3.0.8-84.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name kilroy.chi.il.us
> Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
> Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count 1
> First Seen Mon 18 Feb 2008 01:06:39 PM CST
> Last Seen Mon 18 Feb 2008 01:06:39 PM CST
> Local ID 37d2b949-06bf-4cb0-845e-6aa41a16076c
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { getattr } for comm=python dev=dm-2 egid=41 euid=8
> exe=/usr/bin/python exit=-13 fsgid=41 fsuid=8 gid=41 items=0
> path=/var/lib/mailman/lists/mailman/config.pck.last pid=12198
> scontext=system_u:system_r:sendmail_t:s0 sgid=41
> subj=system_u:system_r:sendmail_t:s0 suid=8 tclass=file
> tcontext=system_u:object_r:mailman_data_t:s0 tty=(none) uid=8
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
THese look liked leaked file descriptors from mailman, but not sure they are preventing sendmail from running. Could you put the machine into permissive mode and verify the mailman is working.

Did you change the configuration to use sendmail rather then using the default internal mechanism of mailman to send mail. (I am not a mailman expert, so I am relaying questions from some co-workers.) -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke67c8ACgkQrlYvE4MpobONFgCfRDICXR/sIo2gwQSyGpvN/iAX hpQAn0OBj15Y4P8AZIDWgu4KXUvrXabA
=JGyF
-----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list