| Summary: | rt3 needs SELinux policy to allow sending mail | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gabriel Somlo <somlo> |
| Component: | rt3 | Assignee: | Ralf Corsepius <rc040203> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dwalsh, mgrepl, mmahut, rc040203, tremble, xavier |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-02 19:41:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Well, I do not understand why rt3 would need special SElinux rules to send emails, but my knowledge on SELinux rules is close to null. CC:-ing the selinux maintainers, may-be they can help. If you want to setup apache to send mail then you need to turn on the httpd_can_sendmail boolean. setsebool -P httpd_can_sendmail 1 Thanks, setting the httpd_can_sendmail boolean took care of it ! Also setroubleshoot should tell you what to do or you can see more info using $ man httpd_selinux |
Description of problem: stock up-to-date F16 install with rt3 installed and configured can not send email due to SELinux AVC denials Version-Release number of selected component (if applicable): rt3-3.8.11-6.fc16.noarch How reproducible: open new ticket on fresh RT installation Steps to Reproduce: 1. install and initialize RT on fresh Fedora 16 box 2. open new ticket (e.g. via web u/i) 3. error entry gets logged right after initial ticket entry: Actual results: Second entry logged for the ticket reads: The RT System itself - System error Sending the previous mail has failed. Please contact your admin, they can find more details in the logs Expected results: The entry should read like this instead: The RT System itself - Outgoing email recorded Additional info: I poked around with 'audit2allow' and came up with the following policy to make the problem go away: module ini_rt3_mail 1.0; require { type mqueue_spool_t; type httpd_t; type etc_mail_t; class process setrlimit; class dir { write search getattr add_name }; class file { write getattr read lock create open }; } #============= httpd_t ============== allow httpd_t etc_mail_t:dir { search getattr }; allow httpd_t etc_mail_t:file { read getattr open }; allow httpd_t mqueue_spool_t:dir { write search getattr add_name }; allow httpd_t mqueue_spool_t:file { lock read write getattr create open }; allow httpd_t self:process setrlimit; Please consider adding a rt3-selinux subpackage as per http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft Thanks, --G