Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp2928550pxp;
        Mon, 14 Mar 2022 07:35:11 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJye6W7i3v8rooyXdjx/nGIYfwrmDdjGNJCcaJahK1+FgV2FWkY5MsqtBPpHqb2vY8TE8fDL
X-Received: by 2002:a17:906:c10b:b0:6da:a190:edb0 with SMTP id do11-20020a170906c10b00b006daa190edb0mr18424336ejc.512.1647268510743;
        Mon, 14 Mar 2022 07:35:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1647268510; cv=none;
        d=google.com; s=arc-20160816;
        b=CjmRWsQ+Nbl+pF6uT1owe3ZtB9Lze/UWjWqTcQ+yx9XJE09JV6PFEAvh2LYav4Uy9T
         x6NoYx+YNQsSCct1BHwz44CkcifXUjlkUiY/kR8wQcy6T/9UTz/NYCRArffwEZ3S5HDD
         gyJd3bkT3k+3GP28Dl+tV3a0K+syMROtMqh08wVujPLZgzL1aZPwPOBaJILl9okNUF9H
         LtYvavcuoSqVle+i+HPo/K24XEuc7TTFwCBf17N4r4nMAHNmT1soQA/q1k8B3+EIIGfX
         Z/iUmlnSc3GLIIp3XO9rvDs1YgdSSHuQ23C+6maoaiWvB06CRh94DdWMfZ9wezi+UmEm
         rnGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:to:content-language:subject:user-agent:mime-version:date
         :message-id:dkim-signature;
        bh=rj1fRE5OTk/5zZCQpp5VwkCji4H0y9bPUvXXTKLHbvs=;
        b=DSTiaWkCestcFsPtEwqMEL8t5cqqgdmgUA5FKelD6kwTBhqkpLXLaR6M3uoP6Yts2m
         3wjavupheTr/J3e/sVWyfmWD3XxoH+V13ztkiJneaPykd2XEGGd1uBP3aQDSdeKRFPsk
         EJ+9y1FLjFj6QUf7zykQKb/1cNOViXZhxzQBORmFBFoxWscnGdpHhmU4cTwp6o9dMyUF
         k+JofkkQ4XBhAf0hjRilCMVYTwH7QIU1PgxFdvgNpu6/C8t+mnRXg7sNZaA8xCWI9w8C
         KOVr8meiZVxvIk1QH3INfIiZWBkolVdKhsfD4PJZUe+/bykDT801XGduUOK6OWFwJQmV
         mtdA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=SAFqh7It;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id x5-20020a05640226c500b004186fee9438si3892503edd.284.2022.03.14.07.35.02;
        Mon, 14 Mar 2022 07:35:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=SAFqh7It;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238880AbiCNNsT (ORCPT <rfc822;axel6043@gmail.com> + 23 others);
        Mon, 14 Mar 2022 09:48:19 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52634 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231527AbiCNNsS (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 14 Mar 2022 09:48:18 -0400
Received: from mail-qv1-xf29.google.com (mail-qv1-xf29.google.com [IPv6:2607:f8b0:4864:20::f29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 428DB46176
        for <selinux-refpolicy@vger.kernel.org>; Mon, 14 Mar 2022 06:47:08 -0700 (PDT)
Received: by mail-qv1-xf29.google.com with SMTP id jx8so12047686qvb.2
        for <selinux-refpolicy@vger.kernel.org>; Mon, 14 Mar 2022 06:47:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=message-id:date:mime-version:user-agent:subject:content-language:to
         :references:from:in-reply-to:content-transfer-encoding;
        bh=rj1fRE5OTk/5zZCQpp5VwkCji4H0y9bPUvXXTKLHbvs=;
        b=SAFqh7IthONTALQ1DwdxfykMkJeDldN+5s7IXMaRv70UmDcZi6bibmNa2DOMu+1IMs
         GcLyzu/R+9NnQgIWlP0LlpPvUrl0t1OGWCl2cqZD4hl32P2W4KVL2VbVj1yWPOi0tnNk
         BIxuiN1cN3w1ayt60FhZG7SW17NnfSvzfRUTg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
         :content-language:to:references:from:in-reply-to
         :content-transfer-encoding;
        bh=rj1fRE5OTk/5zZCQpp5VwkCji4H0y9bPUvXXTKLHbvs=;
        b=KrNMcH/GtP8rBu+O6B4zkqfT+MpDGxZ8c/HWL+7NZ7ADft0XcPL/dCqYZ9m7gZPhlA
         lf5JgTfbnB7aMO3iTl8ewl/dCEwIiitydnJqVdXC3DMjEspx1DQPO5F8pI0CZqPiG6h/
         75iqu9kxn+gnAxjEJEavp3ULWdcKKbZxSgNLMKz2iQs9eWLjQoE+kNLT5E+GVIloHRCz
         F5GtyjiEogcINgk6D5RMWI+AhJFRWStDXltx1uiY/2IzhbuVDr2vwRN6mig+VFWLa75P
         mtB0aTafZ9tnm6HXd+CopAYjP5JGdr9GsTwTUtEHWIUh62YqccZxoywIu9XgK8a6D8QI
         xhsQ==
X-Gm-Message-State: AOAM5306153QV56ByAXe8ZYuVMoK+GiO4IKSoN/bsO5DO03fCE26v6Ky
        fS9U4qG9vioxQ9RsVvEiKpjX2Fo1vr5UFQ==
X-Received: by 2002:a05:6214:27ec:b0:436:2872:2e09 with SMTP id jt12-20020a05621427ec00b0043628722e09mr16053569qvb.60.1647265627297;
        Mon, 14 Mar 2022 06:47:07 -0700 (PDT)
Received: from [192.168.1.133] (pool-68-134-25-67.bltmmd.fios.verizon.net. [68.134.25.67])
        by smtp.gmail.com with ESMTPSA id k8-20020a05620a138800b00679fc7566fcsm7690257qki.18.2022.03.14.06.47.06
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 14 Mar 2022 06:47:06 -0700 (PDT)
Message-ID: <30f62017-1672-7c40-b37d-b62aa276bbae@ieee.org>
Date:   Mon, 14 Mar 2022 09:47:05 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.2
Subject: Re: [PATCH] mailman3 V3
Content-Language: en-US
To:     Russell Coker <russell@coker.com.au>,
        selinux-refpolicy@vger.kernel.org
References: <Yigy+jluQDmPrm8P@xev.coker.com.au>
From:   Chris PeBenito <pebenito@ieee.org>
In-Reply-To: <Yigy+jluQDmPrm8P@xev.coker.com.au>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 3/8/22 23:54, Russell Coker wrote:
> Fixed the issues Chris raised with the previous patch.  I think this is
> ready to merge.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20220309/policy/modules/services/mailman.if
> ===================================================================
> --- refpolicy-2.20220309.orig/policy/modules/services/mailman.if
> +++ refpolicy-2.20220309/policy/modules/services/mailman.if
> @@ -109,6 +109,44 @@ interface(`mailman_domtrans_cgi',`
>   
>   #######################################
>   ## <summary>
> +##	Talk to mailman_cgi_t via Unix domain socket
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain talking to mailman
> +##	</summary>
> +## </param>
> +#
> +interface(`mailman_stream_connect_cgi',`
> +	gen_require(`
> +		type mailman_cgi_t, mailman_runtime_t;
> +	')
> +
> +	files_search_runtime($1)
> +	stream_connect_pattern($1, mailman_runtime_t, mailman_runtime_t, mailman_cgi_t)
> +')
> +
> +#######################################
> +## <summary>
> +##	Manage mailman runtime files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to manage the files
> +##	</summary>
> +## </param>
> +#
> +interface(`mailman_manage_runtime_files',`
> +	gen_require(`
> +		type mailman_runtime_t;
> +	')
> +
> +	files_search_runtime($1)
> +	manage_files_pattern($1, mailman_runtime_t, mailman_runtime_t)
> +')
> +
> +#######################################
> +## <summary>
>   ##	Execute mailman in the caller domain.
>   ## </summary>
>   ## <param name="domain">
> @@ -186,6 +224,24 @@ interface(`mailman_read_data_files',`
>   
>   #######################################
>   ## <summary>
> +##	map mailman data content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`mailman_map_data_files',`
> +	gen_require(`
> +		type mailman_data_t;
> +	')
> +
> +	allow $1 mailman_data_t:file map;
> +')
> +
> +#######################################
> +## <summary>
>   ##	Create, read, write, and delete
>   ##	mailman data files.
>   ## </summary>
> @@ -342,3 +398,21 @@ interface(`mailman_domtrans_queue',`
>   	libs_search_lib($1)
>   	domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
>   ')
> +
> +#######################################
> +## <summary>
> +##	Manage mailman lock dir
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to manage it.
> +##	</summary>
> +## </param>
> +#
> +interface(`mailman_manage_lockdir',`
> +	gen_require(`
> +		type mailman_lock_t;
> +	')
> +
> +	allow $1 mailman_lock_t:dir manage_dir_perms;
> +')
> Index: refpolicy-2.20220309/policy/modules/services/mailman.te
> ===================================================================
> --- refpolicy-2.20220309.orig/policy/modules/services/mailman.te
> +++ refpolicy-2.20220309/policy/modules/services/mailman.te
> @@ -10,6 +10,7 @@ attribute mailman_domain;
>   attribute_role mailman_roles;
>   
>   mailman_domain_template(cgi)
> +init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t)
>   
>   type mailman_data_t;
>   files_type(mailman_data_t)
> @@ -22,15 +23,25 @@ logging_log_file(mailman_log_t)
>   
>   type mailman_lock_t;
>   files_lock_file(mailman_lock_t)
> +optional_policy(`
> +	systemd_tmpfilesd_managed(mailman_lock_t)
> +')
>   
>   type mailman_runtime_t alias mailman_var_run_t;
>   files_runtime_file(mailman_runtime_t)
>   
> +type mailman_cgi_tmpfs_t;
> +files_tmpfs_file(mailman_cgi_tmpfs_t)
> +
> +type mailman_queue_tmpfs_t;
> +files_tmpfs_file(mailman_queue_tmpfs_t)
> +
>   mailman_domain_template(mail)
>   init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
>   role mailman_roles types mailman_mail_t;
>   
>   mailman_domain_template(queue)
> +init_daemon_domain(mailman_queue_t, mailman_queue_exec_t)
>   
>   ########################################
>   #
> @@ -89,13 +100,16 @@ miscfiles_read_localization(mailman_doma
>   # CGI local policy
>   #
>   
> -allow mailman_cgi_t self:unix_dgram_socket { create connect };
> +allow mailman_cgi_t self:process { signal signull sigkill };
> +allow mailman_cgi_t self:fifo_file rw_fifo_file_perms;
> +allow mailman_cgi_t self:capability { dac_override setgid setuid };
> +allow mailman_cgi_t self:unix_dgram_socket create_socket_perms;
>   
>   allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
>   allow mailman_cgi_t mailman_archive_t:file read_file_perms;
>   
>   allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
> -allow mailman_cgi_t mailman_data_t:file manage_file_perms;
> +allow mailman_cgi_t mailman_data_t:file { map manage_file_perms };
>   allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
>   
>   allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
> @@ -104,11 +118,27 @@ allow mailman_cgi_t mailman_lock_t:file
>   allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
>   allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
>   
> +allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms;
> +allow mailman_cgi_t mailman_runtime_t:file read_file_perms;
> +allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms;
> +
> +fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
> +allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
> +
>   kernel_read_crypto_sysctls(mailman_cgi_t)
> +kernel_read_net_sysctls(mailman_cgi_t)
>   kernel_read_system_state(mailman_cgi_t)
> +kernel_read_vm_overcommit_sysctl(mailman_cgi_t)
>   
> +# need SELinuxContext=system_u:system_r:mailman_cgi_t:s0 in the systemd
> +# service file for the correct context on running /usr/bin/uwsgi for
> +# mailman3-web
> +corecmd_bin_entry_type(mailman_cgi_t)
>   corecmd_exec_bin(mailman_cgi_t)
>   
> +corenet_tcp_bind_generic_node(mailman_cgi_t)
> +corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t)
> +
>   dev_read_urand(mailman_cgi_t)
>   
>   files_search_locks(mailman_cgi_t)
> @@ -120,9 +150,9 @@ libs_dontaudit_write_lib_dirs(mailman_cg
>   
>   logging_search_logs(mailman_cgi_t)
>   
> +miscfiles_read_generic_certs(mailman_cgi_t)
>   miscfiles_read_localization(mailman_cgi_t)
>   
> -
>   optional_policy(`
>   	apache_sigchld(mailman_cgi_t)
>   	apache_use_fds(mailman_cgi_t)
> @@ -133,6 +163,15 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	cron_rw_inherited_tmp_files(mailman_cgi_t)
> +	cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t)
> +')
> +
> +optional_policy(`
> +	mysql_stream_connect(mailman_cgi_t)
> +')
> +
> +optional_policy(`
>   	postfix_read_config(mailman_cgi_t)
>   ')
>   
> @@ -142,7 +181,9 @@ optional_policy(`
>   #
>   
>   allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
> -allow mailman_mail_t self:process { signal signull setsched };
> +allow mailman_mail_t self:process { execmem signal signull setsched };
> +allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> +allow mailman_mail_t self:fifo_file rw_file_perms;
>   
>   allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
>   allow mailman_mail_t mailman_archive_t:file manage_file_perms;
> @@ -167,8 +208,12 @@ manage_files_pattern(mailman_mail_t, mai
>   manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t)
>   files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir })
>   
> +kernel_read_network_state(mailman_mail_t)
>   kernel_read_system_state(mailman_mail_t)
>   
> +corenet_tcp_bind_all_unreserved_ports(mailman_mail_t)
> +corenet_tcp_bind_generic_node(mailman_mail_t)
> +corenet_tcp_connect_http_port(mailman_mail_t)
>   corenet_tcp_connect_smtp_port(mailman_mail_t)
>   corenet_sendrecv_spamd_client_packets(mailman_mail_t)
>   corenet_sendrecv_innd_client_packets(mailman_mail_t)
> @@ -193,6 +238,7 @@ libs_read_lib_files(mailman_mail_t)
>   
>   logging_search_logs(mailman_mail_t)
>   
> +miscfiles_read_generic_certs(mailman_mail_t)
>   miscfiles_read_localization(mailman_mail_t)
>   
>   mta_use_mailserver_fds(mailman_mail_t)
> @@ -200,14 +246,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma
>   mta_dontaudit_rw_queue(mailman_mail_t)
>   
>   optional_policy(`
> +	apache_search_config(mailman_mail_t)
> +')
> +
> +optional_policy(`
>   	courier_read_spool(mailman_mail_t)
>   ')
>   
>   optional_policy(`
>   	cron_read_pipes(mailman_mail_t)
> +	cron_rw_inherited_tmp_files(mailman_mail_t)
> +	cron_search_spool(mailman_mail_t)
> +	cron_system_entry(mailman_mail_t, mailman_mail_exec_t)
>   ')
>   
>   optional_policy(`
> +	corenet_tcp_connect_mysqld_port(mailman_mail_t)
> +')
> +
> +optional_policy(`
> +	postfix_read_config(mailman_mail_t)
>   	postfix_search_spool(mailman_mail_t)
>   	postfix_rw_inherited_master_pipes(mailman_mail_t)
>   ')
> @@ -217,15 +275,18 @@ optional_policy(`
>   # Queue local policy
>   #
>   
> -allow mailman_queue_t self:capability { setgid setuid };
> +allow mailman_queue_t self:capability { dac_override setgid setuid };
>   allow mailman_queue_t self:process { setsched signal_perms };
>   allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
>   
> +allow mailman_queue_t mailman_runtime_t:dir rw_dir_perms;
> +allow mailman_queue_t mailman_runtime_t:file manage_file_perms;
> +
>   allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
>   allow mailman_queue_t mailman_archive_t:file manage_file_perms;
>   
>   allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
> -allow mailman_queue_t mailman_data_t:file manage_file_perms;
> +allow mailman_queue_t mailman_data_t:file { map manage_file_perms };
>   allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
>   
>   allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
> @@ -234,15 +295,25 @@ allow mailman_queue_t mailman_lock_t:fil
>   allow mailman_queue_t mailman_log_t:dir list_dir_perms;
>   allow mailman_queue_t mailman_log_t:file manage_file_perms;
>   
> +fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file)
> +allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms };
> +
> +kernel_read_network_state(mailman_queue_t)
>   kernel_read_system_state(mailman_queue_t)
> +kernel_search_vm_sysctl(mailman_queue_t)
>   
>   auth_domtrans_chk_passwd(mailman_queue_t)
>   
>   corecmd_read_bin_files(mailman_queue_t)
>   corenet_sendrecv_innd_client_packets(mailman_queue_t)
> +corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
> +corenet_tcp_bind_generic_node(mailman_queue_t)
> +corenet_tcp_connect_generic_port(mailman_queue_t)
> +corenet_tcp_connect_http_port(mailman_queue_t)
>   corenet_tcp_connect_innd_port(mailman_queue_t)
>   
>   files_dontaudit_search_runtime(mailman_queue_t)
> +files_read_usr_files(mailman_queue_t)
>   files_search_locks(mailman_queue_t)
>   
>   miscfiles_read_localization(mailman_queue_t)
> @@ -251,14 +322,24 @@ seutil_dontaudit_search_config(mailman_q
>   
>   userdom_search_user_home_dirs(mailman_queue_t)
>   
> -cron_rw_tmp_files(mailman_queue_t)
> -
>   optional_policy(`
>   	apache_read_config(mailman_queue_t)
>   ')
>   
>   optional_policy(`
> +	cron_rw_tmp_files(mailman_queue_t)
> +	cron_search_spool(mailman_queue_t)
>   	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
> +	cron_use_fds(mailman_queue_t)
> +')
> +
> +optional_policy(`
> +	mysql_stream_connect(mailman_queue_t)
> +	mysql_tcp_connect(mailman_queue_t)
> +')
> +
> +optional_policy(`
> +	postfix_read_config(mailman_queue_t)
>   ')
>   
>   optional_policy(`
> Index: refpolicy-2.20220309/policy/modules/services/apache.te
> ===================================================================
> --- refpolicy-2.20220309.orig/policy/modules/services/apache.te
> +++ refpolicy-2.20220309/policy/modules/services/apache.te
> @@ -815,8 +815,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	mailman_stream_connect_cgi(httpd_t)
>   	mailman_signal_cgi(httpd_t)
>   	mailman_domtrans_cgi(httpd_t)
> +	mailman_map_data_files(httpd_t)
>   	mailman_read_data_files(httpd_t)
>   	mailman_search_data(httpd_t)
>   	mailman_read_archive(httpd_t)
> Index: refpolicy-2.20220309/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20220309.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20220309/policy/modules/services/cron.te
> @@ -604,6 +604,12 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	mailman_domtrans_queue(system_cronjob_t)
> +	# for flock
> +	mailman_manage_runtime_files(system_cronjob_t)
> +')
> +
> +optional_policy(`
>   	mrtg_append_create_logs(system_cronjob_t)
>   	mrtg_read_config(system_cronjob_t)
>   ')
> Index: refpolicy-2.20220309/policy/modules/services/mailman.fc
> ===================================================================
> --- refpolicy-2.20220309.orig/policy/modules/services/mailman.fc
> +++ refpolicy-2.20220309/policy/modules/services/mailman.fc
> @@ -20,6 +20,7 @@
>   
>   /usr/lib/cgi-bin/mailman/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
>   /usr/lib/mailman/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> +/usr/lib/mailman3/bin/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
>   /usr/lib/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
>   /usr/lib/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>   /usr/lib/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> @@ -28,3 +29,4 @@
>   /usr/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>   
>   /usr/share/doc/mailman/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/share/mailman3-web/manage.py --	gen_context(system_u:object_r:mailman_queue_exec_t,s0)


Merged.

-- 
Chris PeBenito