Re: Mailman/Postfix execute_no_trans denial

Paul Howarth wrote:
> On Sun, 2006-05-21 at 16:58 -0400, Todd Zullinger wrote:
>> Here's the avc denial I get:
>> audit(1148242843.454:41): avc:  denied  { execute_no_trans } for  pid=27763 comm="local" name="mailman" dev=sda2 ino=163878 scontext=user_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
>> I read a thread from a month or so back where another fellow was using
>> mailman and postfix, but he was using the postfix-to-mailman-2.1.py
>> script for integration.
> This looks similar to issues I had running scripts from procmail. I
> wonder if the script you're running here should be bin_t rather than
> lib_t?

I supposed it might help if I posted the error from postfix. :)

May 21 15:28:35 localhost postfix/pickup[26079]: 8DBFC28076: uid=500 from=<tmz>
May 21 15:28:35 localhost postfix/cleanup[26290]: 8DBFC28076: message-id=<20060521192835 8DBFC28076 localhost localdomain>
May 21 15:28:35 localhost postfix/qmgr[26080]: 8DBFC28076: from=<tmz localhost localdomain>, size=325, nrcpt=1 (queue active)
May 21 15:28:35 localhost local[26399]: fatal: execvp /usr/lib/mailman/mail/mailman: Permission denied
May 21 15:28:36 localhost postfix/local[26291]: 8DBFC28076: to=<pgp-test localhost localdomain>, orig_to=<pgp-test>, relay=local, delay=1, status=bounced (Command died with status 1: "/usr/lib/mailman/mail/mailman post pgp-test")

Does this still seem similar to the procmail issue you were seeing
Paul?  I know that postfix tries to execute commands run via aliases
as the user which owns the alias file and I am guessing that's what's
causing the problem here.

Would changing /usr/lib/mailman/mail/mailman from lib_t to bin_t
negatively affect those using mailman with Sendmail as their MTA?

When I get a moment I'll boot to FC5 and try changing the context to
see what happens.

Thanks for the response.

