Description of problem: Unable to login using squirrelmail on Fedora Core 4. How reproducible: Always Steps to Reproduce: 1. Attempt to login to squirrelmail Actual results: See this on webpage: ERROR Error connecting to IMAP server: localhost. 13 : Permission denied Find this in /var/log/audit type=SOCKETCALL msg=audit(1118780599.827:518614): nargs=3 a0=1d a1=9b2f374 a2=10 type=SOCKADDR msg=audit(1118780599.827:518614): saddr=0200008F7F0000010000000000000000 type=SYSCALL msg=audit(1118780599.827:518614): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc937f0 a2=6488cd4 a3=1d items=0 pid=2067 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=AVC msg=audit(1118780599.827:518614): avc: denied { name_connect } for pid=2067 comm="httpd" dest=143 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:pop_port_t tclass=tcp_socket Expected results: Should be able to login Additional info: This is a fresh install of Fedora Core 4
Does setting the boolean setsebool -P httpd_can_network_connect=1 Solve the problem? Dan
Yes this fixes the problem. Squirrelmail now runs. Is this more access than Squirrelmail needs? Just wondering, since I discovered my old system had been compromised and I am doing a fresh install and I am a little bit paranoid :( Also, is there a config file that I can put the httpd_can_network_connect=1 into? Thanks, John
Yes, but it should not be a problem. Setting this flag allows a compromized apache web server to connect to all ports, rather than just the http ports. In the future, we hope to allow users to define additional ports that an app can connect to.