Running strict/enforcing, latest packages from Dan's tree.
Argh... mailman again.
Here's the avc:
Sep 15 20:40:02 fedora kernel: audit(1095306002.105:0): avc: denied { getattr } for pid=20117 exe=/usr/bin/python path=/var/mailman/pythonlib/korean/__init__.pyc dev=hda2 ino=444330 scontext=system_u:system_r:mailman_queue_t tcontext=system_u:object_r:var_t tclass=file
occurs every 5 minutes (so generates lots of error'ed emails). Mailman requires python 'stuff' from /var/mailman/pythonlib and from /var/mailman/Mailman.
I can think of 2 possible fixes:
1. Explicitly allow mailman_queue_t to read var_t:
--- mailman.te 2004-09-15 12:53:30.000000000 -0700 +++ /etc/selinux/strict/src-1.17.14-1.patched/policy/domains/program/mailman.te2004-09-14 16:36:43.000000000 -0700 @@ -31,7 +31,7 @@ can_network(mailman_$1_t) can_ypbind(mailman_$1_t) allow mailman_$1_t self:unix_stream_socket create_socket_perms; -allow mailman_$1_t var_t:dir r_dir_perms; +r_dir_file(mailman_$1_t, var_t) ')
mailman_domain(queue, `, auth_chkpwd')
or 2. by relabeling the .py, .pyc and .pyo files in /var/mailman/pythonlib and /var/mailman/Mailman as shlib_t (or something else?) i.e. adding this to mailman.fc: /var/mailman/pythonlib(/.*)?/.*.py([co])? -- system_u:object_r:shlib_t /var/mailman/Mailman(/.*)?/.*.py([co])? -- system_u:object_r:shlib_t
I'm not sure that shlib_t is correct. (Should it be mailman_queue_t?) But I noticed an entry in types.fc for .so files in the pythonlib tree, and copied that.
tom