Bug 138630 - Can't send mail using squirrelmail
Can't send mail using squirrelmail
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-10 07:36 EST by Paul Black
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-22 09:52:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Log messages for errors (1.15 KB, text/plain)
2004-11-10 08:26 EST, Paul Black
no flags Details
More log messages (5.24 KB, text/plain)
2004-11-10 08:30 EST, Paul Black
no flags Details

  None (edit)
Description Paul Black 2004-11-10 07:36:31 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
When I compose and send an email with squirrelmail, the following is
logged by syslog and the email doesn't get sent:
Nov 10 12:33:04 zippy kernel: audit(1100089984.840:0): avc:  denied  {
read } for  pid=4099 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=360497
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t
tclass=lnk_file

A copy of the email is stored in the sent folder (through dovecot).

Turn off SELinux and it works.

SELinux is in targeted mode.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.19

How reproducible:
Always

Steps to Reproduce:
1. Compose and send an email with squirrelmail

    

Actual Results:  Email is not sent and above message appears in log files.


Expected Results:  Email should be sent (sendmail should log this).
Comment 1 Daniel Walsh 2004-11-10 08:04:44 EST
Added a fix for this in selinux-policy-targeted-1.17.30-2.21

Currently available on 

ftp://people.redhat.com/dwalsh/SELinux/FC3

This is a yum repository where I will be putting up update for FC3 policy.

Will be in update 1.

ftp://people.redhat.com/dwalsh/SELinux/Fedora/

Has the stuff that will be going into FC4, but should work with FC3
(more experimental though)
Comment 2 Paul Black 2004-11-10 08:26:42 EST
Created attachment 106408 [details]
Log messages for errors

It's done a bit more with the change.
Comment 3 Paul Black 2004-11-10 08:30:05 EST
Created attachment 106409 [details]
More log messages

This is with enforcing turned off so as to get the full list.
Comment 4 Daniel Walsh 2004-11-10 10:00:31 EST
Ok looks like we need policy for squirrelmail, so You probably should
run with Apache Transitioning off, for now.  I will try to get some
policy to support squirrelmail.  (Never used it before.)

Dan
Comment 5 Daniel Walsh 2004-11-17 16:30:12 EST
selinux-policy-targeted-1.17.30-2.30 supports squirrelmail
Comment 6 Paul Black 2004-11-22 04:15:25 EST
It seems to work (bit hard to tell when there's no output!).
system-config-securitylevel tells me that httpd transitioning isn't
disabled and that selinux is enforcing the targetted policy.

Cheers.
Comment 7 Jean-Francois Saucier 2004-11-22 10:33:08 EST
Ok, I installed the rpm :
ftp://people.redhat.com/dwalsh/SELinux/FC3/selinux-policy-targeted-1.17.30-2.33.noarch.rpm


And when I try to send mail with my PHP script, here what it output in
my dmesg :


Nov 22 10:34:54 portable kernel: audit(1101137694.990:0): avc:  denied
 { read write } for  pid=11440 exe=/bin/bash path=socket:[29815]
dev=sockfs ino=29815 scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_t tclass=unix_stream_socket
Nov 22 10:34:55 portable kernel: audit(1101137694.999:0): avc:  denied
 { read write } for  pid=11441 exe=/bin/bash path=socket:[29815]
dev=sockfs ino=29815 scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_t tclass=unix_stream_socket
Nov 22 10:34:55 portable kernel: audit(1101137695.004:0): avc:  denied
 { execute } for  pid=11441 exe=/bin/bash name=sendmail.sendmail
dev=hda2 ino=1889550 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:sbin_t tclass=file
Nov 22 10:34:55 portable kernel: audit(1101137695.004:0): avc:  denied
 { getattr } for  pid=11441 exe=/bin/bash
path=/usr/sbin/sendmail.sendmail dev=hda2 ino=1889550
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:sbin_t tclass=file



I cannot send mail with my script. But, my php script simply use the
mail() command...

PS: the new package fix my mysql problem!
Comment 8 Jean-Francois Saucier 2004-11-22 10:35:29 EST
Excuse the second message but I'm not using squirrelmail but a custom
script I write myself. 

Am I better opening a new bug entry?
Comment 9 Jean-Francois Saucier 2004-11-22 10:42:30 EST
Some more info :

root@portable ~ # ps auxZ | grep sendmail
root:system_r:unconfined_t      root     11098  0.0  0.5  9220 2992 ?
       Ss   10:25   0:00 sendmail: accepting connections
root:system_r:unconfined_t      smmsp    11108  0.0  0.5  6936 2584 ?
       Ss   10:25   0:00 sendmail: Queue runner@01:00:00 for
/var/spool/clientmqueue
root:system_r:unconfined_t      root     11676  0.0  0.1  5000  676
pts/1    S+   10:46   0:00 grep sendmail



Seems the same problem as mysqld not running with the good context.

Sendmail must running with which context?

Note You need to log in before you can comment on or make changes to this bug.