[Mailman-Users] Re: Migrating Mailman Lists from One Server to Another

[Onyeibo Oku]

Hi Mark,

This is now mostly resolved.
Thank you.

I am observing a new phenomenon after the migration. Perhaps I should
start a different thread for that.

Regards
Onyeibo

> On Fri, 30 Oct 2020 07:55:02 -0700
> Mark Sapiro  wrote:

> On 10/30/20 6:37 AM, Onyeibo Oku wrote:
> > There is one unresolved List however.
> > 
> > One particular List has a public archive. 
> > All attempts to access the archive via the web gives me "403
> > Forbidden. You don't have permission to access this resource"
> > 
> > When I flip the archiving to "private", it works fine ... they
> > become accessible via admin interface. Going back to the original
> > setting (Public) makes the archives inaccessible again.
> > 
> > What could be wrong?  
> 
> 
> The /var/lib/mailman/archives/private/ directory is not searchable by
> the web server. It should be mode o+x, or if it is o-x, it must be
> owned by the web server user. See the warning box at
> .
> 
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] CPU %-usage surge associated with list archives

[Onyeibo Oku]

Hello everyone,

I am observing increased CPU(%) usage whenever a Mailman User Service
runs. The journal tells me that SELinux is preventing httpd from map
access on the
file /var/lib/mailman/archives/private///.html. A
setroubleshoot service follows.  This cycle repeats quickly, resulting
in a surge in CPU (%) usage.

Why am I getting AVC denials {map} associated with list archives?  Any
ideas on how I should stabilize this?

Regards
Onyeibo
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: CPU %-usage surge associated with list archives

[Mark Sapiro]

On 11/15/20 8:01 AM, Onyeibo Oku wrote:
> Hello everyone,
> 
> I am observing increased CPU(%) usage whenever a Mailman User Service
> runs. The journal tells me that SELinux is preventing httpd from map
> access on the
> file /var/lib/mailman/archives/private///.html. A
> setroubleshoot service follows.  This cycle repeats quickly, resulting
> in a surge in CPU (%) usage.
> 
> Why am I getting AVC denials {map} associated with list archives?  Any
> ideas on how I should stabilize this?

This would appear to be a SELinux issue. It probably requires some
adjustment to your SELinux policies.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: CPU %-usage surge associated with list archives

[Stephen J. Turnbull]

Mark Sapiro writes:
 > On 11/15/20 8:01 AM, Onyeibo Oku wrote:

 > > Why am I getting AVC denials {map} associated with list archives?
 > > Any ideas on how I should stabilize this?

We don't have a lot of SELinux experience here.  For example, I myself
have no clue what "AVC denials {map}" means (or even the individual
words!)  You probably want to ask this question (if you don't find out
it's something obvious) on a SELinux channel.  They would also be able
to give you information that would help us decide if we should make a
change because there's a real vulnerability rather than some kind of
configuration mismatch.

 > This would appear to be a SELinux issue. It probably requires some
 > adjustment to your SELinux policies.

We would appreciate it if you let us know what you find out.  I don't
see why access to archives would cause a security issue, but if it
means you have to add special cases to an otherwise useful general
policy, maybe we can do something to avoid triggering SELinux.

Also, we will probably never be SELinux experts, but having a sense of
what common issues are is always helpful.

Steve
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: CPU %-usage surge associated with list archives

[Bill Cole]

On 15 Nov 2020, at 22:18, Stephen J. Turnbull wrote:


I don't
see why access to archives would cause a security issue,


FWIW:

1. SELinux doesn't know about specific security issues, it assumes that 
nothing is safe unless explicitly allowed.


2. On RHEL7 and its derivatives, the default SELinux policy includes a 
module for mailman's executable and data files which *in my experience* 
just works without modification when mailman is installed from an 
official RPM. It's even documented, if the policy docs are installed:


# apropos mailman |grep selinux
mailman_cgi_selinux (8) - Security Enhanced Linux Policy for the 
mailman_cgi processes
mailman_mail_selinux (8) - Security Enhanced Linux Policy for the 
mailman_mail processes
mailman_queue_selinux (8) - Security Enhanced Linux Policy for the 
mailman_queue processes


It would certainly be possible to break that by assigning the wrong 
SELinux labels to the mailman files, perhaps by installing from the 
unpackaged source. Fixing that sort of error is probably simple, but it 
would depend on what specifically was done. A simple 'restorecon -Rv /' 
will fix a lot of issues, but it isn't instantaneous and stomps on any 
customization that hasn't been written into the persistent policy.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: CPU %-usage surge associated with list archives

[Stephen J. Turnbull]

Bill Cole writes:
 > On 15 Nov 2020, at 22:18, Stephen J. Turnbull wrote:

 > > I don't see why access to archives would cause a security issue,

Thanks for the reply!

Also FWIW, I'm explaining here why I don't think this is a Mailman
issue.  If there is a vulnerability in our distribution, and the
SELinux policy is pointing it out, we (I think I speak for all the
core devs here ;-) want to fix it.

 > FWIW:
 > 
 > 1. SELinux doesn't know about specific security issues, it assumes that 
 > nothing is safe unless explicitly allowed.

Yes, I was already aware that that is the "theoretically correct"
policy, and had guessed that SELinux follows it.

 > 2. On RHEL7 and its derivatives, the default SELinux policy includes a 
 > module for mailman's executable and data files which *in my experience* 
 > just works without modification when mailman is installed from an 
 > official RPM.

Aha.  Now *that* is *very* useful information!  So I assume that would
also apply to sufficiently recent CentOS, and most likely to Fedora.
And it's something to look up on Debian and Ubuntu.

Many thanks!

Regards,
Steve


 It's even documented, if the policy docs are installed:
 > 
 > # apropos mailman |grep selinux
 > mailman_cgi_selinux (8) - Security Enhanced Linux Policy for the 
 > mailman_cgi processes
 > mailman_mail_selinux (8) - Security Enhanced Linux Policy for the 
 > mailman_mail processes
 > mailman_queue_selinux (8) - Security Enhanced Linux Policy for the 
 > mailman_queue processes
 > 
 > It would certainly be possible to break that by assigning the wrong 
 > SELinux labels to the mailman files, perhaps by installing from the 
 > unpackaged source. Fixing that sort of error is probably simple, but it 
 > would depend on what specifically was done. A simple 'restorecon -Rv /' 
 > will fix a lot of issues, but it isn't instantaneous and stomps on any 
 > customization that hasn't been written into the persistent policy.
 > 
 > -- 
 > Bill Cole
 > b...@scconsult.com or billc...@apache.org
 > (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
 > Not Currently Available For Hire
 > --
 > Mailman-Users mailing list -- mailman-users@python.org
 > To unsubscribe send an email to mailman-users-le...@python.org
 > https://mail.python.org/mailman3/lists/mailman-users.python.org/
 > Mailman FAQ: http://wiki.list.org/x/AgA3
 > Security Policy: http://wiki.list.org/x/QIA9
 > Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
 > https://mail.python.org/archives/list/mailman-users@python.org/
 > 
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/