Re: Mailman/Python issues with SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

David Hoffman wrote:

OK, here's one that I can't seem to figure out. Usually when I see log
entries like this, the fix is to be sure that the latest version of
selinux_policy_targetted is applied, and/or run restorecon against the
file being called. But at 4:02am, Mailman is attempting to call Python
to execute something, and this causes the following log entries in my
messages log:

Apr 10 04:02:27 master kernel: audit(1113123747.955:0): avc: denied { dac_override } for pid=17159 exe=/usr/bin/python capability=1
scontext=system_u:system_r:mailman_mail_t
tcontext=system_u:system_r:mailman_mail_t tclass=capability
Apr 10 04:02:27 master kernel: audit(1113123747.956:0): avc: denied { setgid } for pid=17159 exe=/usr/bin/python capability=6
scontext=system_u:system_r:mailman_mail_t
tcontext=system_u:system_r:mailman_mail_t tclass=capability
Apr 10 04:02:27 master kernel: audit(1113123747.956:0): avc: denied { setuid } for pid=17159 exe=/usr/bin/python capability=7
scontext=system_u:system_r:mailman_mail_t
tcontext=system_u:system_r:mailman_mail_t tclass=capability
Apr 10 04:02:27 master kernel: audit(1113123747.969:0): avc: denied { signal } for pid=17159 exe=/usr/bin/python
scontext=system_u:system_r:mailman_mail_t
tcontext=root:system_r:unconfined_t tclass=process


This says that mailman is trying to run a python script that is setuid/setgid and needs to override dac_protections.

Did you change your mail environment. These are definitely not rules you want to add to your mailman. What
ever it is trying to run, should either do a transition or not happen. Did you change your mailer?
A new patch to the kernel is coming to show the COMM line in addition to the exe so that we could figure out
which python script it is trying to execute.

If I check the security context of /usr/bin/python, here is what I get:
-rwxr-xr-x  2 system_u:object_r:bin_t          root root 5396 Feb  2
11:22 python

If I run restorecon /usr/bin/python, and then check the context again,
nothing changes.

I know there is a way to create a policy from these errors, and then
apply the policy to the system, but I would have thought that since my
Mailman and Python installations were from the supplied RPM packages,
and since I wasn't manually compiling them, then the policies that are
in place should already be there.

If anyone can give me a heads up about why this is happening, I would
appreciate it.

Thank you.






--


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux