Bug 480079

Summary: insufficient policy for SquirrelMail
Product: [Fedora] Fedora Reporter: Vadym Chepkov <vchepkov>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 10   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-15 15:54:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vadym Chepkov 2009-01-14 22:42:27 UTC 
I have SquirrelMail installed and this is a webmail interfaces. It doesn't work with standard selinux configuration, because in order to work it needs to connect to imap and smtp port ports for mail receiving/sending.

It can be bypassed by setting httpd_can_network_connect --> on, but I think it's too permissive. 

I added these rules to my local policy:

allow httpd_t pop_port_t:tcp_socket name_connect;
allow httpd_t smtp_port_t:tcp_socket name_connect;
Comment 1 Daniel Walsh 2009-01-15 15:24:13 UTC 
Does it work if you set

httpd_can_sendmail?
Comment 2 Vadym Chepkov 2009-01-15 15:38:41 UTC 
It does, my bad.

In my defense, httpd_selinux(8) description of this boolean mentions only sendmail invocation and in this case httpd doesn't actually call sendmail.

Thank you.
Comment 3 Daniel Walsh 2009-01-15 15:54:36 UTC 
No problem, we are having a doc writer review all of the services documentation so things like this hopefully will become clearer.