I have migrated my old Mailman server to a CentOS 8.3 server containing this Mailman RPM package: mailman-2.1.29-10.module_el8.3.0+548+3169411d.x86_64 I would like to enable Google reCAPTCHA in mm_cfg.py as explained in /usr/lib/mailman/Mailman/Defaults.py with: RECAPTCHA_SITE_KEY = xxx RECAPTCHA_SECRET_KEY = yyy I have created the prerequisite V2 keys on https://www.google.com/recaptcha/admin and restarted the mailman service. The Mailman list page now contains a nice "I'm not a robot" frame as expected.
However, when I click "Subscribe", the confirmation page says "[Errno 13] Permission denied” (copied from my memory) and the subscription fails :-( It finally dawned upon me that this could be a SELinux issue, since I naturally want Enforcing mode. If I use "setenforce Permissive" the Mailman error goes away! The command "journalctl -t setroubleshoot" tells me: SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket port 443. (lines deleted) If you believe that python2.7 should be allowed name_connect access on the port 443 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'python2' --raw | audit2allow -M my-python2 # semodule -X 300 -i my-python2.pp I can confirm that the Mailman error is fixed by this workaround. Question: Is there a proper way to configure this SELinux access for python2.7, rather than making this workaround? Such a solution should be submitted as a bug report to RedHat/CentOS/Fedora. Thanks a lot, Ole ------------------------------------------------------ Mailman-Users mailing list -- email@example.com To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://firstname.lastname@example.org/ https://email@example.com/