On Tue, 2005-07-26 at 08:05 -0700, Mark Sapiro wrote: > This has to be a case of the web server not being able to access the > lists/ directory or its subordinates. If bin/check_perms finds no > problems, maybe its a SELinux issue.
[ Note: I will create a new mailman FAQ entry for SELinux, since this issue keeps coming up. ] If it is an SELinux issue here are a set of things you can try: 1) Put SELinux into "permissive" mode, this logs avc errors but permits the operation that would otherwise have been denied. The idea here is to log where SELinux would prohibit an access but not to cause a failure, then if it is SELinux causing the problem you can go back later and fix it. To put SELinux into permissive mode you must be root AND in the sysadm_r (or equivalent) role. # getenforce Enforcing # setenforce Permissive # getenforce Permissive 2) Retry the operation. Does it work now? If not, it wasn't SELinux, go look elsewhere. If it now works then it was SELinux preventing the operation. Now find out why. You'll need to look for "avc: denied" messages. These are typically logged to either the system log file or if the audit daemon is installed to the audit log, on Fedora systems this would be: /var/log/messages /var/log/audit/audit.log Grep these files for avc: grep avc: /var/log/messages /var/log/audit/audit.log Look for "denied" messages whose "comm" or "name" fields are mailman related. Contact your vendor to get the problem resolved, this typically means installing a new security policy with the fix. Installing the newest security policy probably a good initial step. On Fedora this can be done this way: # yum update selinux-policy-targeted You can also run with SELinux disabled, but these days running with open servers without the high level of security protection offered by SELinux is risky. If you have SELinux available you should try to make sure it's enabled to protect yourself. Note: Vendors who are shipping SELinux have crafted security policies to match their distributions, e.g. where things are installed on their distribution. If you build and install mailman yourself you are side stepping all the policy work done by the vendor. You'll either have to craft your own policy to match and properly label all system objects (files, sockets, etc.), disable SELinux, or use the vendors mailman package (by the way this applies to everything under SELinux control which for a mailman installation includes your MTA and web server. Your vendor has worked hard to make sure the security policy works for all components, if you build and install anything yourself you may in conflict with how your vendor has crafted the security policy). -- John Dennis <[EMAIL PROTECTED]> ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp