From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Description of problem: When I compose and send an email with squirrelmail, the following is logged by syslog and the email doesn't get sent: Nov 10 12:33:04 zippy kernel: audit(1100089984.840:0): avc: denied { read } for pid=4099 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=360497 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t tclass=lnk_file A copy of the email is stored in the sent folder (through dovecot). Turn off SELinux and it works. SELinux is in targeted mode. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.19 How reproducible: Always Steps to Reproduce: 1. Compose and send an email with squirrelmail Actual Results: Email is not sent and above message appears in log files. Expected Results: Email should be sent (sendmail should log this).
Added a fix for this in selinux-policy-targeted-1.17.30-2.21 Currently available on ftp://people.redhat.com/dwalsh/SELinux/FC3 This is a yum repository where I will be putting up update for FC3 policy. Will be in update 1. ftp://people.redhat.com/dwalsh/SELinux/Fedora/ Has the stuff that will be going into FC4, but should work with FC3 (more experimental though)
Created attachment 106408 [details] Log messages for errors It's done a bit more with the change.
Created attachment 106409 [details] More log messages This is with enforcing turned off so as to get the full list.
Ok looks like we need policy for squirrelmail, so You probably should run with Apache Transitioning off, for now. I will try to get some policy to support squirrelmail. (Never used it before.) Dan
selinux-policy-targeted-1.17.30-2.30 supports squirrelmail
It seems to work (bit hard to tell when there's no output!). system-config-securitylevel tells me that httpd transitioning isn't disabled and that selinux is enforcing the targetted policy. Cheers.
Ok, I installed the rpm : ftp://people.redhat.com/dwalsh/SELinux/FC3/selinux-policy-targeted-1.17.30-2.33.noarch.rpm And when I try to send mail with my PHP script, here what it output in my dmesg : Nov 22 10:34:54 portable kernel: audit(1101137694.990:0): avc: denied { read write } for pid=11440 exe=/bin/bash path=socket:[29815] dev=sockfs ino=29815 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_t tclass=unix_stream_socket Nov 22 10:34:55 portable kernel: audit(1101137694.999:0): avc: denied { read write } for pid=11441 exe=/bin/bash path=socket:[29815] dev=sockfs ino=29815 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_t tclass=unix_stream_socket Nov 22 10:34:55 portable kernel: audit(1101137695.004:0): avc: denied { execute } for pid=11441 exe=/bin/bash name=sendmail.sendmail dev=hda2 ino=1889550 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file Nov 22 10:34:55 portable kernel: audit(1101137695.004:0): avc: denied { getattr } for pid=11441 exe=/bin/bash path=/usr/sbin/sendmail.sendmail dev=hda2 ino=1889550 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file I cannot send mail with my script. But, my php script simply use the mail() command... PS: the new package fix my mysql problem!
Excuse the second message but I'm not using squirrelmail but a custom script I write myself. Am I better opening a new bug entry?
Some more info : root@portable ~ # ps auxZ | grep sendmail root:system_r:unconfined_t root 11098 0.0 0.5 9220 2992 ? Ss 10:25 0:00 sendmail: accepting connections root:system_r:unconfined_t smmsp 11108 0.0 0.5 6936 2584 ? Ss 10:25 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue root:system_r:unconfined_t root 11676 0.0 0.1 5000 676 pts/1 S+ 10:46 0:00 grep sendmail Seems the same problem as mysqld not running with the good context. Sendmail must running with which context?