Bug 138630

Summary: Can't send mail using squirrelmail
Product: [Fedora] Fedora Reporter: Paul Black <paul.0000.black>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: jf_saucier
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-11-22 14:52:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Log messages for errors
none
More log messages none

Description Paul Black 2004-11-10 12:36:31 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
When I compose and send an email with squirrelmail, the following is
logged by syslog and the email doesn't get sent:
Nov 10 12:33:04 zippy kernel: audit(1100089984.840:0): avc:  denied  {
read } for  pid=4099 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=360497
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t
tclass=lnk_file

A copy of the email is stored in the sent folder (through dovecot).

Turn off SELinux and it works.

SELinux is in targeted mode.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.19

How reproducible:
Always

Steps to Reproduce:
1. Compose and send an email with squirrelmail

    

Actual Results:  Email is not sent and above message appears in log files.


Expected Results:  Email should be sent (sendmail should log this).
Comment 1 Daniel Walsh 2004-11-10 13:04:44 UTC 
Added a fix for this in selinux-policy-targeted-1.17.30-2.21

Currently available on 

ftp://people.redhat.com/dwalsh/SELinux/FC3

This is a yum repository where I will be putting up update for FC3 policy.

Will be in update 1.

ftp://people.redhat.com/dwalsh/SELinux/Fedora/

Has the stuff that will be going into FC4, but should work with FC3
(more experimental though)
Comment 2 Paul Black 2004-11-10 13:26:42 UTC 
Created attachment 106408 [details]
Log messages for errors

It's done a bit more with the change.
Comment 3 Paul Black 2004-11-10 13:30:05 UTC 
Created attachment 106409 [details]
More log messages

This is with enforcing turned off so as to get the full list.
Comment 4 Daniel Walsh 2004-11-10 15:00:31 UTC 
Ok looks like we need policy for squirrelmail, so You probably should
run with Apache Transitioning off, for now.  I will try to get some
policy to support squirrelmail.  (Never used it before.)

Dan
Comment 5 Daniel Walsh 2004-11-17 21:30:12 UTC 
selinux-policy-targeted-1.17.30-2.30 supports squirrelmail
Comment 6 Paul Black 2004-11-22 09:15:25 UTC 
It seems to work (bit hard to tell when there's no output!).
system-config-securitylevel tells me that httpd transitioning isn't
disabled and that selinux is enforcing the targetted policy.

Cheers.
Comment 7 Jean-Francois Saucier 2004-11-22 15:33:08 UTC 
Ok, I installed the rpm :
ftp://people.redhat.com/dwalsh/SELinux/FC3/selinux-policy-targeted-1.17.30-2.33.noarch.rpm


And when I try to send mail with my PHP script, here what it output in
my dmesg :


Nov 22 10:34:54 portable kernel: audit(1101137694.990:0): avc:  denied
 { read write } for  pid=11440 exe=/bin/bash path=socket:[29815]
dev=sockfs ino=29815 scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_t tclass=unix_stream_socket
Nov 22 10:34:55 portable kernel: audit(1101137694.999:0): avc:  denied
 { read write } for  pid=11441 exe=/bin/bash path=socket:[29815]
dev=sockfs ino=29815 scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_t tclass=unix_stream_socket
Nov 22 10:34:55 portable kernel: audit(1101137695.004:0): avc:  denied
 { execute } for  pid=11441 exe=/bin/bash name=sendmail.sendmail
dev=hda2 ino=1889550 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:sbin_t tclass=file
Nov 22 10:34:55 portable kernel: audit(1101137695.004:0): avc:  denied
 { getattr } for  pid=11441 exe=/bin/bash
path=/usr/sbin/sendmail.sendmail dev=hda2 ino=1889550
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:sbin_t tclass=file



I cannot send mail with my script. But, my php script simply use the
mail() command...

PS: the new package fix my mysql problem!
Comment 8 Jean-Francois Saucier 2004-11-22 15:35:29 UTC 
Excuse the second message but I'm not using squirrelmail but a custom
script I write myself. 

Am I better opening a new bug entry?
Comment 9 Jean-Francois Saucier 2004-11-22 15:42:30 UTC 
Some more info :

root@portable ~ # ps auxZ | grep sendmail
root:system_r:unconfined_t      root     11098  0.0  0.5  9220 2992 ?
       Ss   10:25   0:00 sendmail: accepting connections
root:system_r:unconfined_t      smmsp    11108  0.0  0.5  6936 2584 ?
       Ss   10:25   0:00 sendmail: Queue runner@01:00:00 for
/var/spool/clientmqueue
root:system_r:unconfined_t      root     11676  0.0  0.1  5000  676
pts/1    S+   10:46   0:00 grep sendmail



Seems the same problem as mysqld not running with the good context.

Sendmail must running with which context?