I have migrated my old Mailman server to a CentOS 8.3 server containing this Mailman RPM package: mailman-2.1.29-10.module_el8.3.0+548+3169411d.x86_64 I would like to enable Google reCAPTCHA in mm_cfg.py as explained in /usr/lib/mailman/Mailman/Defaults.py with: RECAPTCHA_SITE_KEY = xxx RECAPTCHA_SECRET_KEY = yyy I have created the prerequisite V2 keys on https://www.google.com/recaptcha/admin and restarted the mailman service. The Mailman list page now contains a nice "I'm not a robot" frame as expected.

However, when I click "Subscribe", the confirmation page says "[Errno 13] Permission denied” (copied from my memory) and the subscription fails :-(

It finally dawned upon me that this could be a SELinux issue, since I naturally want Enforcing mode. If I use "setenforce Permissive" the Mailman error goes away!

The command "journalctl -t setroubleshoot" tells me:

SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket port 443. (lines deleted) If you believe that python2.7 should be allowed name_connect access on the port 443 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'python2' --raw | audit2allow -M my-python2 # semodule -X 300 -i my-python2.pp

I can confirm that the Mailman error is fixed by this workaround.

Question: Is there a proper way to configure this SELinux access for python2.7, rather than making this workaround?

Such a solution should be submitted as a bug report to RedHat/CentOS/Fedora.

Thanks a lot, Ole