[Mailman-Users] Google reCAPTCHA blocked by SELinux on Mailman 2.1.29 (CentOS 8)

Sun, 20 Dec 2020 07:36:03 -0800 

I have migrated my old Mailman server to a CentOS 8.3 server containing this 
Mailman RPM package:
mailman-2.1.29-10.module_el8.3.0+548+3169411d.x86_64
I would like to enable Google reCAPTCHA in mm_cfg.py as explained in 
/usr/lib/mailman/Mailman/Defaults.py with:
RECAPTCHA_SITE_KEY = xxx
RECAPTCHA_SECRET_KEY = yyy
I have created the prerequisite V2 keys on 
https://www.google.com/recaptcha/admin and restarted the mailman service.
The Mailman list page now contains a nice "I'm not a robot" frame as expected.

However, when I click "Subscribe", the confirmation page says "[Errno 13] 
Permission denied” (copied from my memory) and the subscription fails :-(

It finally dawned upon me that this could be a SELinux issue, since I naturally 
want Enforcing mode.  If I use "setenforce Permissive" the Mailman error goes 
away!

The command "journalctl -t setroubleshoot" tells me:

SELinux is preventing /usr/bin/python2.7 from name_connect access on the 
tcp_socket port 443.
(lines deleted)
If you believe that python2.7 should be allowed name_connect access on the port 
443 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'python2' --raw | audit2allow -M my-python2
# semodule -X 300 -i my-python2.pp

I can confirm that the Mailman error is fixed by this workaround.

Question: Is there a proper way to configure this SELinux access for python2.7, 
rather than making this workaround?

Such a solution should be submitted as a bug report to RedHat/CentOS/Fedora.

Thanks a lot,
Ole
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
    https://mail.python.org/archives/list/mailman-users@python.org/

Reply via email to