[Mailman-Users] cant't create lists within the webinterface

Markus Darges darges at hrz.uni-siegen.de
Tue Feb 1 15:51:10 CET 2005 

Markus Darges wrote:

> John Dennis wrote:
>
>> On Mon, 2005-01-31 at 11:01 +0100, Markus Darges wrote:
>>  
>>
>>> Hi,
>>>
>>> I cant' create a new list within the webinterface. Could someone 
>>> tell mit whether it's a known bug? Even if  I change the permission 
>>> of the folder lists to 777 I get the same error.
>>> My OS is Fedora Core 3. Mailman 2.1.5, Python2.4, Apache2.0.52
>>>   
>>
>>
>> First, off I trust you are using Red Hat's mailman rpm for FC3.
>>
>> There is a possibility you may have run afoul of SELinux, but its very
>> hard to tell from the information presented. SELinux is a security
>> enhancement that restricts operations beyond the traditional UNIX
>> permissions. In FC3 SELinux is enabled by default in what is called
>> "targeted" mode, meaning SELinux is only used for "targeted"
>> applications and services because those applications and services are
>> open to the network and are much more vulnerable to exploit, mailman is
>> one of the services under SELinux protection. The security policy is
>> non-trival to author correctly it is possible we may have missed a
>> corner case. Here are two simple things you can do to determine if
>> SELinux is responsible for your access problems.
>>
>> 1) Look in /var/log/messages for any lines with "avc" in it, it will
>> probably read something like "audit avc access denied ..." but I'm going
>> from memory so don't use the full string I gave you to search for, I'm
>> almost positive the exact string is slightly different. If the security
>> policy is denying access it will log it in /var/log/messages and it
>> should be pretty obvious.
>>
>> 2) Turn off SELinux, run your mailman action again, does the problem go
>> away? If so, this is a sure sign its a bug in the security policy. To
>> disable SELinux, su to root and run system-config-securitylevel, you'll
>> see a dropdown box for SELinux, select the option to disable it.
>>
>> If this fixes the problem, then make sure you're fully up to date with
>> the security policy, use your favorite package manager (e.g. yum) to
>> update this rpm: selinux-policy-targeted. Go back and enable SELinux, do
>> you still have the problem? If not great, if so then please file a bug
>> here: https://bugzilla.redhat.com and be sure to include the operation
>> being performed, the avc error messages from /var/log/messages, and the
>> rpm versions of mailman and selinux-policy-targeted.
>>
>>
>>  
>>
> Thanks for the fast responding!
> You are right SELinux seems to be the problem. But I disabled it 
> already before. I followed your instructions and found the avc message 
> denied... in the log. I updated selinux-policy-targeted by yum and 
> mailman is not any longer complaining about the permission to create a 
> list. But yet I can't create the mbox.
>
> Traceback (most recent call last):
>  File "/usr/lib/mailman/scripts/driver", line 87, in run_main
>    main()
>  File 
> "/usr/src/build/471806-i386/install/usr/lib/mailman/Mailman/Cgi/create.py", 
> line 55, in main
>  File 
> "/usr/src/build/471806-i386/install/usr/lib/mailman/Mailman/Cgi/create.py", 
> line 187, in process_request
>  File "/usr/lib/mailman/Mailman/MailList.py", line 457, in Create
>    self.InitVars(name, admin, crypted_password)
>  File "/usr/lib/mailman/Mailman/MailList.py", line 372, in InitVars
>    baseclass.InitVars(self)
>  File "/usr/lib/mailman/Mailman/Archiver/Archiver.py", line 95, in 
> InitVars
>    os.mkdir(self.archive_dir()+'.mbox', 02775)
> OSError: [Errno 13] Permission denied: 
> '/var/lib/mailman/archives/private/test5.mbox'
>
> The settings of the folder private are 02755
>
> In /var/log/messages I found:
>
> Feb  1 09:57:52 mailman kernel: audit(1107248272.299:0): avc:  denied  
> { write } for  pid=2787 exe=/usr/bin/python2.3 name=scripts dev=sda5 
> ino=910468 scontext=root:system_r:mailman_cgi_t 
> tcontext=system_u:object_r:lib_t tclass=dir
> Feb  1 09:57:52 mailman kernel: audit(1107248272.531:0): avc:  denied  
> { create } for  pid=2787 exe=/usr/bin/python2.3 name=test5.mbox 
> scontext=root:system_r:mailman_cgi_t 
> tcontext=root:object_r:mailman_archive_t tclass=dir
> Feb  1 09:57:52 mailman kernel: audit(1107248272.565:0): avc:  denied  
> { search } for  pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 
> ino=97345 scontext=root:system_r:mailman_cgi_t 
> tcontext=system_u:object_r:src_t tclass=dir
> Feb  1 09:57:52 mailman kernel: audit(1107248272.565:0): avc:  denied  
> { search } for  pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 
> ino=97345 scontext=root:system_r:mailman_cgi_t 
> tcontext=system_u:object_r:src_t tclass=dir
> Feb  1 09:57:52 mailman kernel: audit(1107248272.589:0): avc:  denied  
> { search } for  pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 
> ino=97345 scontext=root:system_r:mailman_cgi_t 
> tcontext=system_u:object_r:src_t tclass=dir
> Feb  1 09:57:52 mailman kernel: audit(1107248272.590:0): avc:  denied  
> { search } for  pid=2787 exe=/usr/bin/python2.3 name=src dev=sda5 
> ino=97345 scontext=root:system_r:mailman_cgi_t 
> tcontext=system_u:object_r:src_t tclass=dir
>
> It seems that I can't disable SELinux by the drop down box. Is there 
> another way to disable it?
> ------------------------------------------------------
> Mailman-Users mailing list
> Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: 
> http://www.mail-archive.com/mailman-users%40python.org/
>
ok I disabled set selinux=0 in grub.conf and yet all works fine

More information about the Mailman-Users mailing list