Bug 157768 - Squirrelmail doesn't like SElinux - messages lost
Squirrelmail doesn't like SElinux - messages lost
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: squirrelmail (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Warren Togami
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-14 16:48 EDT by P Fudd
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-31 00:46:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description P Fudd 2005-05-14 16:48:09 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040922

Description of problem:
Squirrelmail can't send email due to restrictive selinux policy.

Typing 'setenforce 0' allows squirrelmail to work.

Version-Release number of selected component (if applicable):
squirrelmail-1.4.4-1.FC3

How reproducible:
Always

Steps to Reproduce:
1. Install fresh Fedora Core 3 system with selinux enabled (includes squirrelmail)
2. Fix /etc/httpd/conf/httpd.conf to use index.php as a directory index
3. Go to http://localhost/webmail
4. Log in, compose message to yourself
5. Send it
6. Check log to find out why message disappeared into thin air
  

Actual Results:  Found entries like this in the log:
May 14 11:25:41 dan kernel: audit(1116095141.399:0): avc:  denied  { read } for  pid=5643 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=2616329 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t tclass=lnk_file

Expected Results:  Email should be sent.

Additional info:

System is configured to use sendmail.

I tried a different policy file (selinux-policy-targeted-1.17.30-3.6) but the errors don't go away, they only change.
Comment 1 Warren Togami 2005-05-14 17:08:43 EDT
Are you sure the filesystem is properly labeled?

If it is, then this may be a policy problem...
Comment 2 Daniel Walsh 2005-05-14 18:38:04 EDT
It is allowed in the 3.6 policy
> grep bin_t:lnk_ apache.te
allow httpd_t bin_t:lnk_file read;

Are you sure you have it loaded?

Note You need to log in before you can comment on or make changes to this bug.