[Mailman-Users] cant't create lists within the webinterface

Markus Darges darges at hrz.uni-siegen.de
Tue Feb 1 10:17:24 CET 2005 

John Dennis wrote:

>On Mon, 2005-01-31 at 11:01 +0100, Markus Darges wrote:
>  
>
>>Hi,
>>
>>I cant' create a new list within the webinterface. Could someone tell 
>>mit whether it's a known bug? Even if  I change the permission of the 
>>folder lists to 777 I get the same error.
>>My OS is Fedora Core 3. Mailman 2.1.5, Python2.4, Apache2.0.52
>>    
>>
>
>First, off I trust you are using Red Hat's mailman rpm for FC3.
>
>There is a possibility you may have run afoul of SELinux, but its very
>hard to tell from the information presented. SELinux is a security
>enhancement that restricts operations beyond the traditional UNIX
>permissions. In FC3 SELinux is enabled by default in what is called
>"targeted" mode, meaning SELinux is only used for "targeted"
>applications and services because those applications and services are
>open to the network and are much more vulnerable to exploit, mailman is
>one of the services under SELinux protection. The security policy is
>non-trival to author correctly it is possible we may have missed a
>corner case. Here are two simple things you can do to determine if
>SELinux is responsible for your access problems.
>
>1) Look in /var/log/messages for any lines with "avc" in it, it will
>probably read something like "audit avc access denied ..." but I'm going
>from memory so don't use the full string I gave you to search for, I'm
>almost positive the exact string is slightly different. If the security
>policy is denying access it will log it in /var/log/messages and it
>should be pretty obvious.
>
>2) Turn off SELinux, run your mailman action again, does the problem go
>away? If so, this is a sure sign its a bug in the security policy. To
>disable SELinux, su to root and run system-config-securitylevel, you'll
>see a dropdown box for SELinux, select the option to disable it.
>
>If this fixes the problem, then make sure you're fully up to date with
>the security policy, use your favorite package manager (e.g. yum) to
>update this rpm: selinux-policy-targeted. Go back and enable SELinux, do
>you still have the problem? If not great, if so then please file a bug
>here: https://bugzilla.redhat.com and be sure to include the operation
>being performed, the avc error messages from /var/log/messages, and the
>rpm versions of mailman and selinux-policy-targeted.
>
>
>  
>
Thanks for the fast responding!
You are right SELinux seems to be the problem. But I disabled it already 
before. I followed your instructions and found the avc message denied... 
in the log. I updated selinux-policy-targeted by yum and mailman is not 
any longer complaining about the permission to create a list. But yet I 
can't create the mbox.

Traceback (most recent call last):
  File "/usr/lib/mailman/scripts/driver", line 87, in run_main
    main()
  File 
"/usr/src/build/471806-i386/install/usr/lib/mailman/Mailman/Cgi/create.py", 
line 55, in main
  File 
"/usr/src/build/471806-i386/install/usr/lib/mailman/Mailman/Cgi/create.py", 
line 187, in process_request
  File "/usr/lib/mailman/Mailman/MailList.py", line 457, in Create
    self.InitVars(name, admin, crypted_password)
  File "/usr/lib/mailman/Mailman/MailList.py", line 372, in InitVars
    baseclass.InitVars(self)
  File "/usr/lib/mailman/Mailman/Archiver/Archiver.py", line 95, in InitVars
    os.mkdir(self.archive_dir()+'.mbox', 02775)
OSError: [Errno 13] Permission denied: 
'/var/lib/mailman/archives/private/test5.mbox'

The settings of the folder private are 02755

In /var/log/messages I found:

Feb  1 09:57:52 mailman kernel: audit(1107248272.299:0): avc:  denied  { 
write } for  pid=2787 exe=/usr/bin/python2.3 name=scripts dev=sda5 
ino=910468 scontext=root:system_r:mailman_cgi_t 
tcontext=system_u:object_r:lib_t tclass=dir
Feb  1 09:57:52 mailman kernel: audit(1107248272.531:0): avc:  denied  { 
create } for  pid=2787 exe=/usr/bin/python2.3 name=test5.mbox 
scontext=root:system_r:mailman_cgi_t 
tcontext=root:object_r:mailman_archive_t tclass=dir
Feb  1 09:57:52 mailman kernel: audit(1107248272.565:0): avc:  denied  { 
search } for  pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 
ino=97345 scontext=root:system_r:mailman_cgi_t 
tcontext=system_u:object_r:src_t tclass=dir
Feb  1 09:57:52 mailman kernel: audit(1107248272.565:0): avc:  denied  { 
search } for  pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 
ino=97345 scontext=root:system_r:mailman_cgi_t 
tcontext=system_u:object_r:src_t tclass=dir
Feb  1 09:57:52 mailman kernel: audit(1107248272.589:0): avc:  denied  { 
search } for  pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 
ino=97345 scontext=root:system_r:mailman_cgi_t 
tcontext=system_u:object_r:src_t tclass=dir
Feb  1 09:57:52 mailman kernel: audit(1107248272.590:0): avc:  denied  { 
search } for  pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 
ino=97345 scontext=root:system_r:mailman_cgi_t 
tcontext=system_u:object_r:src_t tclass=dir

It seems that I can't disable SELinux by the drop down box. Is there 
another way to disable it?

More information about the Mailman-Users mailing list