Bug 144620

Summary: Squirrelmail can't send mail
Product: [Fedora] Fedora Reporter: Paul Black <paul.0000.black>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-11 15:09:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SELinux messages sent to syslog
none
SELinux messages from /var/log/messages none

Description Paul Black 2005-01-09 21:01:03 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.7.5)
Gecko/20041110 Firefox/1.0

Description of problem:
SELinux doesn't allow Squirrelmail to send email. Squirrelmail behaves
as if the mail was sent (including storing the sent mail) but mail is
not sent. This is similar to bug 138630 which was fixed. I' don't know
if this was broken by an update to SELinux or if it's specific to me
now using an x86-64 machine.

Version-Release number of selected component (if applicable):
1.17.30-2.68

How reproducible:
Always

Steps to Reproduce:
1.Compose and send an email with squirrelmail


Actual Results:  Email is not sent and SELinux generates messages log
files.

Expected Results:  Email should be sent.

Additional info:
Comment 1 Paul Black 2005-01-09 21:02:01 UTC 
Created attachment 109542 [details]
SELinux messages sent to syslog
Comment 2 Daniel Walsh 2005-01-10 14:47:37 UTC 
The problem is that your system is not labeled correctly.   The best
way to fix this is to 
touch /.autorelabel
reboot

Which will clean up the labels.  Squirrelmail was fixed after the
release of FC3, so you have to relabel.

Dan
Comment 3 Paul Black 2005-01-10 17:07:36 UTC 
It made things worse! No I can't log in to squirrelmail without
"setenfdorce 0". The other errors are still present.
Comment 4 Daniel Walsh 2005-01-10 17:28:56 UTC 
I do not know how you generated the AVC message log that you attached.
 Can you just attach the output of 

grep -i avc /var/log/messages

Do you have selinux-policy-targeted-sources installed?

If yes can you do a 
make -C /etc/selinux/targeted/src/policy load

Dan
Comment 5 Paul Black 2005-01-11 10:11:02 UTC 
Created attachment 109595 [details]
SELinux messages from /var/log/messages

The previous log message were from /var/log/messages with the timestamps
removed.

> Do you have selinux-policy-targeted-sources installed?

Yes.


> If yes can you do a 
> make -C /etc/selinux/targeted/src/policy load

Ran without error.

This log I'm attaching has two bits in it: the first two messages are from
logging in to Squirrelmail, the rest are from trying to send mail.
Comment 6 Daniel Walsh 2005-01-11 14:46:47 UTC 
Ok the problem is that httpd is not transitioning to system_mail_t.

ls -lZ /usr/sbin/sendmail.sendmail

should show that sendmail is marked as system_u:object_r:sendmail_exec_t

It also looks like 
ls -ladZ /var/spool/mqueue
is labeled incorrectly
should be system_u:object_r:mqueue_spool_t

So I believe your system did not relabel correctly.

Dan
Comment 7 Paul Black 2005-01-11 15:09:33 UTC 
You may be right about not doing the relabel correctly. I've just
redone the "touch /.autorelabel; reboot" (that's the second relabel
today) and both /usr/sbin/sendmail.sendmail and /var/spool/mqueue now
have the labels mentioned above (they didn't before). Squirrelmail now
works. Cheers.