On F8 (as well as RHEL5 from the looks of things), it seems that mailman is not actually confined. The policy for it is compiled into the base module, but the transition never happens. So, mailmanctl and qrunner run in initrc_t. This looks like it is due to the fact that the default init script for mailman calls "/usr/bin/python /usr/lib/mailman/bin/mailmanctl" and "/usr/bin/python /usr/lib/mailman/bin/qrunner" rather than executing the scripts directly. The simple fix is to remove python from the init script. Anyone else noticing this problem? Any other ideas for a fix?
Thanks, Chad Sellers
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chad Sellers wrote:
On F8 (as well as RHEL5 from the looks of things), it seems that mailman is not actually confined. The policy for it is compiled into the base module, but the transition never happens. So, mailmanctl and qrunner run in initrc_t. This looks like it is due to the fact that the default init script for mailman calls "/usr/bin/python /usr/lib/mailman/bin/mailmanctl" and "/usr/bin/python /usr/lib/mailman/bin/qrunner" rather than executing the scripts directly. The simple fix is to remove python from the init script. Anyone else noticing this problem? Any other ideas for a fix?
Thanks, Chad Sellers
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please open a bugzilla on it.
Looks like it is correct in rawhide
grep MAILMANCTL mailman MAILMANCTL=$MAILMANHOME/bin/mailmanctl daemon $MAILMANCTL -s -q start daemon $MAILMANCTL -q stop $MAILMANCTL -q -u status $MAILMANCTL -u status
On 3/28/08 2:08 AM, "Daniel J Walsh" dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chad Sellers wrote:
On F8 (as well as RHEL5 from the looks of things), it seems that mailman is not actually confined. The policy for it is compiled into the base module, but the transition never happens. So, mailmanctl and qrunner run in initrc_t. This looks like it is due to the fact that the default init script for mailman calls "/usr/bin/python /usr/lib/mailman/bin/mailmanctl" and "/usr/bin/python /usr/lib/mailman/bin/qrunner" rather than executing the scripts directly. The simple fix is to remove python from the init script. Anyone else noticing this problem? Any other ideas for a fix?
Thanks, Chad Sellers
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please open a bugzilla on it.
Looks like it is correct in rawhide
grep MAILMANCTL mailman MAILMANCTL=$MAILMANHOME/bin/mailmanctl daemon $MAILMANCTL -s -q start daemon $MAILMANCTL -q stop $MAILMANCTL -q -u status $MAILMANCTL -u status
Hmmm, guess I should have checked bugzilla first. Looks like there's already a resolved bug (#350461) for this, which is why it's resolved in rawhide. I don't suppose this will get backported to RHEL5 in an update?
Thanks, Chad
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chad Sellers wrote:
On 3/28/08 2:08 AM, "Daniel J Walsh" dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chad Sellers wrote:
On F8 (as well as RHEL5 from the looks of things), it seems that mailman is not actually confined. The policy for it is compiled into the base module, but the transition never happens. So, mailmanctl and qrunner run in initrc_t. This looks like it is due to the fact that the default init script for mailman calls "/usr/bin/python /usr/lib/mailman/bin/mailmanctl" and "/usr/bin/python /usr/lib/mailman/bin/qrunner" rather than executing the scripts directly. The simple fix is to remove python from the init script. Anyone else noticing this problem? Any other ideas for a fix?
Thanks, Chad Sellers
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please open a bugzilla on it.
Looks like it is correct in rawhide
grep MAILMANCTL mailman MAILMANCTL=$MAILMANHOME/bin/mailmanctl daemon $MAILMANCTL -s -q start daemon $MAILMANCTL -q stop $MAILMANCTL -q -u status $MAILMANCTL -u status
Hmmm, guess I should have checked bugzilla first. Looks like there's already a resolved bug (#350461) for this, which is why it's resolved in rawhide. I don't suppose this will get backported to RHEL5 in an update?
Thanks, Chad
A customer Bugzilla is required to get it backported. So open a bugzilla and ask.
selinux@lists.fedoraproject.org