Bug 799135

Summary: rt3 needs SELinux policy to allow sending mail
Product: [Fedora] Fedora Reporter: Gabriel Somlo <somlo>
Component: rt3Assignee: Ralf Corsepius <rc040203>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh, mgrepl, mmahut, rc040203, tremble, xavier
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-02 19:41:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gabriel Somlo 2012-03-01 20:47:42 UTC 
Description of problem:

stock up-to-date F16 install with rt3 installed and configured can not send email due to SELinux AVC denials


Version-Release number of selected component (if applicable):

rt3-3.8.11-6.fc16.noarch


How reproducible:

open new ticket on fresh RT installation


Steps to Reproduce:
1. install and initialize RT on fresh Fedora 16 box
2. open new ticket (e.g. via web u/i)
3. error entry gets logged right after initial ticket entry:

Actual results:

Second entry logged for the ticket reads:

The RT System itself - System error
Sending the previous mail has failed. Please contact your admin, they can find more details in the logs
  
Expected results:

The entry should read like this instead:

The RT System itself - Outgoing email recorded 

Additional info:

I poked around with 'audit2allow' and came up with the following policy to make the problem go away:

module ini_rt3_mail 1.0;

require {
        type mqueue_spool_t;
        type httpd_t;
        type etc_mail_t;
        class process setrlimit;
        class dir { write search getattr add_name };
        class file { write getattr read lock create open }; 
}       
#============= httpd_t ==============
allow httpd_t etc_mail_t:dir { search getattr };
allow httpd_t etc_mail_t:file { read getattr open }; 
allow httpd_t mqueue_spool_t:dir { write search getattr add_name };
allow httpd_t mqueue_spool_t:file { lock read write getattr create open }; 
allow httpd_t self:process setrlimit;

Please consider adding a rt3-selinux subpackage as per
http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

Thanks,
--G
Comment 1 Ralf Corsepius 2012-03-02 18:40:39 UTC 
Well, I do not understand why rt3 would need special SElinux rules to send emails, but my knowledge on SELinux rules is close to null.

CC:-ing the selinux maintainers, may-be they can help.
Comment 2 Daniel Walsh 2012-03-02 19:41:08 UTC 
If you want to setup apache to send mail then you need to turn on the httpd_can_sendmail boolean.

setsebool -P httpd_can_sendmail 1
Comment 3 Gabriel Somlo 2012-03-02 19:53:12 UTC 
Thanks, setting the httpd_can_sendmail boolean took care of it !
Comment 4 Miroslav Grepl 2012-03-05 08:48:45 UTC 
Also setroubleshoot should tell you what to do or you can see more info using

$ man httpd_selinux