David Hoffman wrote:
This says that mailman is trying to run a python script that is setuid/setgid and needs to override dac_protections.OK, here's one that I can't seem to figure out. Usually when I see log entries like this, the fix is to be sure that the latest version of selinux_policy_targetted is applied, and/or run restorecon against the file being called. But at 4:02am, Mailman is attempting to call Python to execute something, and this causes the following log entries in my messages log:
Apr 10 04:02:27 master kernel: audit(1113123747.955:0): avc: denied { dac_override } for pid=17159 exe=/usr/bin/python capability=1
scontext=system_u:system_r:mailman_mail_t
tcontext=system_u:system_r:mailman_mail_t tclass=capability
Apr 10 04:02:27 master kernel: audit(1113123747.956:0): avc: denied { setgid } for pid=17159 exe=/usr/bin/python capability=6
scontext=system_u:system_r:mailman_mail_t
tcontext=system_u:system_r:mailman_mail_t tclass=capability
Apr 10 04:02:27 master kernel: audit(1113123747.956:0): avc: denied { setuid } for pid=17159 exe=/usr/bin/python capability=7
scontext=system_u:system_r:mailman_mail_t
tcontext=system_u:system_r:mailman_mail_t tclass=capability
Apr 10 04:02:27 master kernel: audit(1113123747.969:0): avc: denied { signal } for pid=17159 exe=/usr/bin/python
scontext=system_u:system_r:mailman_mail_t
tcontext=root:system_r:unconfined_t tclass=process
Did you change your mail environment. These are definitely not rules you want to add to your mailman. What
ever it is trying to run, should either do a transition or not happen. Did you change your mailer?
A new patch to the kernel is coming to show the COMM line in addition to the exe so that we could figure out
which python script it is trying to execute.
If I check the security context of /usr/bin/python, here is what I get: -rwxr-xr-x 2 system_u:object_r:bin_t root root 5396 Feb 2 11:22 python
If I run restorecon /usr/bin/python, and then check the context again, nothing changes.
I know there is a way to create a policy from these errors, and then apply the policy to the system, but I would have thought that since my Mailman and Python installations were from the supplied RPM packages, and since I wasn't manually compiling them, then the policies that are in place should already be there.
If anyone can give me a heads up about why this is happening, I would appreciate it.
Thank you.
--