Hi,
I cant' create a new list within the webinterface. Could someone tell mit whether it's a known bug? Even if I change the permission of the folder lists to 777 I get the same error. My OS is Fedora Core 3. Mailman 2.1.5, Python2.4, Apache2.0.52
Thanks,
Markus
Traceback (most recent call last): File "/usr/lib/mailman/scripts/driver", line 87, in run_main main() File "/usr/lib/mailman/Mailman/Cgi/create.py", line 55, in main process_request(doc, cgidata) File "/usr/lib/mailman/Mailman/Cgi/create.py", line 187, in process_request mlist.Create(listname, owner, pw, langs, emailhost) File "/usr/lib/mailman/Mailman/MailList.py", line 454, in Create self._full_path = Site.get_listpath(name, create=1) File "/usr/lib/mailman/Mailman/Site.py", line 65, in get_listpath _makedir(path) File "/usr/lib/mailman/Mailman/Site.py", line 40, in _makedir os.makedirs(path, 02775) File "/usr/local/lib/python2.4/os.py", line 159, in makedirs mkdir(name, mode) OSError: [Errno 13] Permission denied: '/var/lib/mailman/lists/test'
Python information:
Variable Value
sys.version 2.4 (#1, Jan 27 2005, 13:25:37) [GCC 3.4.2 20041017 (Red
Hat 3.4.2-6.fc3)]
SERVER_SIGNATURE
Apache/2.0.52 (Fedora)
On Mon, 2005-01-31 at 11:01 +0100, Markus Darges wrote:
Hi,
I cant' create a new list within the webinterface. Could someone tell mit whether it's a known bug? Even if I change the permission of the folder lists to 777 I get the same error. My OS is Fedora Core 3. Mailman 2.1.5, Python2.4, Apache2.0.52
First, off I trust you are using Red Hat's mailman rpm for FC3.
There is a possibility you may have run afoul of SELinux, but its very hard to tell from the information presented. SELinux is a security enhancement that restricts operations beyond the traditional UNIX permissions. In FC3 SELinux is enabled by default in what is called "targeted" mode, meaning SELinux is only used for "targeted" applications and services because those applications and services are open to the network and are much more vulnerable to exploit, mailman is one of the services under SELinux protection. The security policy is non-trival to author correctly it is possible we may have missed a corner case. Here are two simple things you can do to determine if SELinux is responsible for your access problems.
Look in /var/log/messages for any lines with "avc" in it, it will probably read something like "audit avc access denied ..." but I'm going from memory so don't use the full string I gave you to search for, I'm almost positive the exact string is slightly different. If the security policy is denying access it will log it in /var/log/messages and it should be pretty obvious.
Turn off SELinux, run your mailman action again, does the problem go away? If so, this is a sure sign its a bug in the security policy. To disable SELinux, su to root and run system-config-securitylevel, you'll see a dropdown box for SELinux, select the option to disable it.
If this fixes the problem, then make sure you're fully up to date with the security policy, use your favorite package manager (e.g. yum) to update this rpm: selinux-policy-targeted. Go back and enable SELinux, do you still have the problem? If not great, if so then please file a bug here: https://bugzilla.redhat.com and be sure to include the operation being performed, the avc error messages from /var/log/messages, and the rpm versions of mailman and selinux-policy-targeted.
-- John Dennis <jdennis@redhat.com>
John Dennis wrote:
On Mon, 2005-01-31 at 11:01 +0100, Markus Darges wrote:
Hi,
I cant' create a new list within the webinterface. Could someone tell mit whether it's a known bug? Even if I change the permission of the folder lists to 777 I get the same error. My OS is Fedora Core 3. Mailman 2.1.5, Python2.4, Apache2.0.52
First, off I trust you are using Red Hat's mailman rpm for FC3.
There is a possibility you may have run afoul of SELinux, but its very hard to tell from the information presented. SELinux is a security enhancement that restricts operations beyond the traditional UNIX permissions. In FC3 SELinux is enabled by default in what is called "targeted" mode, meaning SELinux is only used for "targeted" applications and services because those applications and services are open to the network and are much more vulnerable to exploit, mailman is one of the services under SELinux protection. The security policy is non-trival to author correctly it is possible we may have missed a corner case. Here are two simple things you can do to determine if SELinux is responsible for your access problems.
Look in /var/log/messages for any lines with "avc" in it, it will probably read something like "audit avc access denied ..." but I'm going from memory so don't use the full string I gave you to search for, I'm almost positive the exact string is slightly different. If the security policy is denying access it will log it in /var/log/messages and it should be pretty obvious.
Turn off SELinux, run your mailman action again, does the problem go away? If so, this is a sure sign its a bug in the security policy. To disable SELinux, su to root and run system-config-securitylevel, you'll see a dropdown box for SELinux, select the option to disable it.
If this fixes the problem, then make sure you're fully up to date with the security policy, use your favorite package manager (e.g. yum) to update this rpm: selinux-policy-targeted. Go back and enable SELinux, do you still have the problem? If not great, if so then please file a bug here: https://bugzilla.redhat.com and be sure to include the operation being performed, the avc error messages from /var/log/messages, and the rpm versions of mailman and selinux-policy-targeted.
Thanks for the fast responding! You are right SELinux seems to be the problem. But I disabled it already before. I followed your instructions and found the avc message denied... in the log. I updated selinux-policy-targeted by yum and mailman is not any longer complaining about the permission to create a list. But yet I can't create the mbox.
Traceback (most recent call last): File "/usr/lib/mailman/scripts/driver", line 87, in run_main main() File "/usr/src/build/471806-i386/install/usr/lib/mailman/Mailman/Cgi/create.py", line 55, in main File "/usr/src/build/471806-i386/install/usr/lib/mailman/Mailman/Cgi/create.py", line 187, in process_request File "/usr/lib/mailman/Mailman/MailList.py", line 457, in Create self.InitVars(name, admin, crypted_password) File "/usr/lib/mailman/Mailman/MailList.py", line 372, in InitVars baseclass.InitVars(self) File "/usr/lib/mailman/Mailman/Archiver/Archiver.py", line 95, in InitVars os.mkdir(self.archive_dir()+'.mbox', 02775) OSError: [Errno 13] Permission denied: '/var/lib/mailman/archives/private/test5.mbox'
The settings of the folder private are 02755
In /var/log/messages I found:
Feb 1 09:57:52 mailman kernel: audit(1107248272.299:0): avc: denied { write } for pid=2787 exe=/usr/bin/python2.3 name=scripts dev=sda5 ino=910468 scontext=root:system_r:mailman_cgi_t tcontext=system_u:object_r:lib_t tclass=dir Feb 1 09:57:52 mailman kernel: audit(1107248272.531:0): avc: denied { create } for pid=2787 exe=/usr/bin/python2.3 name=test5.mbox scontext=root:system_r:mailman_cgi_t tcontext=root:object_r:mailman_archive_t tclass=dir Feb 1 09:57:52 mailman kernel: audit(1107248272.565:0): avc: denied { search } for pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 ino=97345 scontext=root:system_r:mailman_cgi_t tcontext=system_u:object_r:src_t tclass=dir Feb 1 09:57:52 mailman kernel: audit(1107248272.565:0): avc: denied { search } for pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 ino=97345 scontext=root:system_r:mailman_cgi_t tcontext=system_u:object_r:src_t tclass=dir Feb 1 09:57:52 mailman kernel: audit(1107248272.589:0): avc: denied { search } for pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 ino=97345 scontext=root:system_r:mailman_cgi_t tcontext=system_u:object_r:src_t tclass=dir Feb 1 09:57:52 mailman kernel: audit(1107248272.590:0): avc: denied { search } for pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 ino=97345 scontext=root:system_r:mailman_cgi_t tcontext=system_u:object_r:src_t tclass=dir
It seems that I can't disable SELinux by the drop down box. Is there another way to disable it?
Markus Darges wrote:
John Dennis wrote:
On Mon, 2005-01-31 at 11:01 +0100, Markus Darges wrote:
Hi,
I cant' create a new list within the webinterface. Could someone tell mit whether it's a known bug? Even if I change the permission of the folder lists to 777 I get the same error. My OS is Fedora Core 3. Mailman 2.1.5, Python2.4, Apache2.0.52
First, off I trust you are using Red Hat's mailman rpm for FC3.
There is a possibility you may have run afoul of SELinux, but its very hard to tell from the information presented. SELinux is a security enhancement that restricts operations beyond the traditional UNIX permissions. In FC3 SELinux is enabled by default in what is called "targeted" mode, meaning SELinux is only used for "targeted" applications and services because those applications and services are open to the network and are much more vulnerable to exploit, mailman is one of the services under SELinux protection. The security policy is non-trival to author correctly it is possible we may have missed a corner case. Here are two simple things you can do to determine if SELinux is responsible for your access problems.
Look in /var/log/messages for any lines with "avc" in it, it will probably read something like "audit avc access denied ..." but I'm going from memory so don't use the full string I gave you to search for, I'm almost positive the exact string is slightly different. If the security policy is denying access it will log it in /var/log/messages and it should be pretty obvious.
Turn off SELinux, run your mailman action again, does the problem go away? If so, this is a sure sign its a bug in the security policy. To disable SELinux, su to root and run system-config-securitylevel, you'll see a dropdown box for SELinux, select the option to disable it.
If this fixes the problem, then make sure you're fully up to date with the security policy, use your favorite package manager (e.g. yum) to update this rpm: selinux-policy-targeted. Go back and enable SELinux, do you still have the problem? If not great, if so then please file a bug here: https://bugzilla.redhat.com and be sure to include the operation being performed, the avc error messages from /var/log/messages, and the rpm versions of mailman and selinux-policy-targeted.
Thanks for the fast responding! You are right SELinux seems to be the problem. But I disabled it already before. I followed your instructions and found the avc message denied... in the log. I updated selinux-policy-targeted by yum and mailman is not any longer complaining about the permission to create a list. But yet I can't create the mbox.
Traceback (most recent call last): File "/usr/lib/mailman/scripts/driver", line 87, in run_main main() File "/usr/src/build/471806-i386/install/usr/lib/mailman/Mailman/Cgi/create.py", line 55, in main File "/usr/src/build/471806-i386/install/usr/lib/mailman/Mailman/Cgi/create.py", line 187, in process_request File "/usr/lib/mailman/Mailman/MailList.py", line 457, in Create self.InitVars(name, admin, crypted_password) File "/usr/lib/mailman/Mailman/MailList.py", line 372, in InitVars baseclass.InitVars(self) File "/usr/lib/mailman/Mailman/Archiver/Archiver.py", line 95, in InitVars os.mkdir(self.archive_dir()+'.mbox', 02775) OSError: [Errno 13] Permission denied: '/var/lib/mailman/archives/private/test5.mbox'
The settings of the folder private are 02755
In /var/log/messages I found:
Feb 1 09:57:52 mailman kernel: audit(1107248272.299:0): avc: denied
{ write } for pid=2787 exe=/usr/bin/python2.3 name=scripts dev=sda5 ino=910468 scontext=root:system_r:mailman_cgi_t tcontext=system_u:object_r:lib_t tclass=dir Feb 1 09:57:52 mailman kernel: audit(1107248272.531:0): avc: denied
{ create } for pid=2787 exe=/usr/bin/python2.3 name=test5.mbox scontext=root:system_r:mailman_cgi_t tcontext=root:object_r:mailman_archive_t tclass=dir Feb 1 09:57:52 mailman kernel: audit(1107248272.565:0): avc: denied
{ search } for pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 ino=97345 scontext=root:system_r:mailman_cgi_t tcontext=system_u:object_r:src_t tclass=dir Feb 1 09:57:52 mailman kernel: audit(1107248272.565:0): avc: denied
{ search } for pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 ino=97345 scontext=root:system_r:mailman_cgi_t tcontext=system_u:object_r:src_t tclass=dir Feb 1 09:57:52 mailman kernel: audit(1107248272.589:0): avc: denied
{ search } for pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 ino=97345 scontext=root:system_r:mailman_cgi_t tcontext=system_u:object_r:src_t tclass=dir Feb 1 09:57:52 mailman kernel: audit(1107248272.590:0): avc: denied
{ search } for pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 ino=97345 scontext=root:system_r:mailman_cgi_t tcontext=system_u:object_r:src_t tclass=dirIt seems that I can't disable SELinux by the drop down box. Is there another way to disable it?
Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
ok I disabled set selinux=0 in grub.conf and yet all works fine
Markus> I can't create a new list within the webinterface. ...
John> There is a possibility you may have run afoul of SELinux ...
Markus> ok I disabled set selinux=0 in grub.conf and all works fine
FYI, I've created the following bug entry to track this problem.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146890
-- John Dennis <jdennis@redhat.com>
Thanks John!
But that was not the only problem between SELinux and mailman. With SELinux turned on I couldn't import a list of new members. I got the error that no usable temporary file could be found. And I wasn't able to change the html sites:
Traceback (most recent call last): File "/usr/lib/mailman/scripts/driver", line 87, in run_main main() File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 123, in main ChangeHTML(mlist, cgidata, template_name, doc) File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 161, in ChangeHTML os.mkdir(langdir, 02775) OSError: [Errno 13] Permission denied: '/var/lib/mailman/lists/ma1/de'
John Dennis wrote:
Markus> I can't create a new list within the webinterface. ...
John> There is a possibility you may have run afoul of SELinux ...
Markus> ok I disabled set selinux=0 in grub.conf and all works fine
FYI, I've created the following bug entry to track this problem.
participants (2)
-
John Dennis -
Markus Darges