Bug 312181 - SELINUX preventing mail to be send from webmail squirrelmail
SELINUX preventing mail to be send from webmail squirrelmail
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-29 03:54 EDT by Jan Willem Huijbers
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-03 17:27:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Willem Huijbers 2007-09-29 03:54:46 EDT
Description of problem:
SELINUX targetted is prohibiting mail to be send from webmail Squirrelmail


Version-Release number of selected component (if applicable):
Latest F7 sepolicy and the one before


How reproducible:
Send an mail from the webmail environment

Steps to Reproduce:
1. create an email in squirrelmail
2. send
3. error
  
Actual results:
error squirrelmail:
Message not sent. Server replied:

    Email delivery error
    72 Can't execute command '/usr/sbin/sendmail -i -t -fjan.willem@huijbers.net'.

out of /var/log/messages

Sep 29 09:37:07 fedora-pc setroubleshoot:      SELinux is preventing the
/usr/sbin/sendmail.sendmail from using potentially mislabeled files
anon_inode:[eventpoll] (anon_inodefs_t).      For complete SELinux messages. run
sealert -l b1d79fa7-d7f6-4b8c-b94e-3b43b60229bb
Sep 29 09:37:07 fedora-pc setroubleshoot:      SELinux is preventing the
/usr/sbin/sendmail.sendmail from using potentially mislabeled files mail
(etc_mail_t).      For complete SELinux messages. run sealert -l
5ce8af75-5ef0-4c33-a371-2f5067356977
Sep 29 09:37:07 fedora-pc setroubleshoot:      SELinux is preventing the
/usr/sbin/sendmail.sendmail from using potentially mislabeled files mail
(etc_mail_t).      For complete SELinux messages. run sealert -l
5ce8af75-5ef0-4c33-a371-2f5067356977
Sep 29 09:37:07 fedora-pc setroubleshoot:      SELinux is preventing the
/usr/sbin/sendmail.sendmail from using potentially mislabeled files /etc/mail
(etc_mail_t).      For complete SELinux messages. run sealert -l
c605f30f-9512-4d7b-b7f7-a39d5f62cd74
Sep 29 09:37:07 fedora-pc setroubleshoot:      SELinux is preventing
/usr/sbin/sendmail.sendmail (httpd_sys_script_t) "create" to <Unknown>
(httpd_sys_script_t).      For complete SELinux messages. run sealert -l
eec295ce-257d-4ce7-ac56-c771da1c854c


Expected results:
mail to be send

Additional info:
Comment 1 Daniel Walsh 2007-10-01 15:42:36 EDT
Please attach the entire avc messages or the setroubleshoot output.

Comment 2 Jan Willem Huijbers 2007-10-02 13:18:51 EDT
As requested.

[root@fedora-pc ~]# sealert -l b1d79fa7-d7f6-4b8c-b94e-3b43b60229bb
Summary
    SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially
    mislabeled files anon_inode:[eventpoll] (anon_inodefs_t).

Detailed Description
    SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
    mislabeled files anon_inode:[eventpoll].  This means that SELinux will not
    allow http to use these files.  Many third party apps install html files in
    directories that SELinux policy can not predict.  These directories have to
    be labeled with a file context which httpd can accesss.

Allowing Access
    If you want to change the file context of anon_inode:[eventpoll] so that the
    httpd daemon can access it, you need to execute it using chcon -t
    httpd_sys_content_t anon_inode:[eventpoll].  You can look at the
    httpd_selinux man page for additional information.

Additional Information

Source Context                system_u:system_r:httpd_sys_script_t
Target Context                system_u:object_r:anon_inodefs_t
Target Objects                anon_inode:[eventpoll] [ file ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-43.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_bad_labels
Host Name                     fedora-pc.huijbers.net
Platform                      Linux fedora-pc.huijbers.net 2.6.22.9-91.fc7 #1
                              SMP Thu Sep 27 23:10:59 EDT 2007 i686 i686
Alert Count                   3
First Seen                    Mon Sep 24 19:12:08 2007
Last Seen                     Sat Sep 29 09:52:57 2007
Local ID                      b1d79fa7-d7f6-4b8c-b94e-3b43b60229bb
Line Numbers

Raw Audit Messages

avc: denied { read, write } for comm="sendmail" dev=anon_inodefs egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 items=0
name="[eventpoll]" path="anon_inode:[eventpoll]" pid=3342
scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:anon_inodefs_t:s0 tty=(none) uid=48


[root@fedora-pc ~]# sealert -l 5ce8af75-5ef0-4c33-a371-2f5067356977
Summary
    SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially
    mislabeled files mail (etc_mail_t).

Detailed Description
    SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
    mislabeled files mail.  This means that SELinux will not allow http to use
    these files.  Many third party apps install html files in directories that
    SELinux policy can not predict.  These directories have to be labeled with a
    file context which httpd can accesss.

Allowing Access
    If you want to change the file context of mail so that the httpd daemon can
    access it, you need to execute it using chcon -t httpd_sys_content_t mail.
    You can look at the httpd_selinux man page for additional information.

Additional Information

Source Context                system_u:system_r:httpd_sys_script_t
Target Context                system_u:object_r:etc_mail_t
Target Objects                mail [ dir ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-43.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_bad_labels
Host Name                     fedora-pc.huijbers.net
Platform                      Linux fedora-pc.huijbers.net 2.6.22.9-91.fc7 #1
                              SMP Thu Sep 27 23:10:59 EDT 2007 i686 i686
Alert Count                   6
First Seen                    Mon Sep 24 19:12:08 2007
Last Seen                     Sat Sep 29 09:52:57 2007
Local ID                      5ce8af75-5ef0-4c33-a371-2f5067356977
Line Numbers

Raw Audit Messages

avc: denied { search } for comm="sendmail" dev=dm-0 egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=-13 fsgid=51 fsuid=48 gid=48 items=0
name="mail" pid=3342 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir
tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48


[root@fedora-pc ~]# sealert -l c605f30f-9512-4d7b-b7f7-a39d5f62cd74
Summary
    SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially
    mislabeled files /etc/mail (etc_mail_t).

Detailed Description
    SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
    mislabeled files /etc/mail.  This means that SELinux will not allow http to
    use these files.  Many third party apps install html files in directories
    that SELinux policy can not predict.  These directories have to be labeled
    with a file context which httpd can accesss.

Allowing Access
    If you want to change the file context of /etc/mail so that the httpd daemon
    can access it, you need to execute it using chcon -t httpd_sys_content_t
    /etc/mail.  You can look at the httpd_selinux man page for additional
    information.

Additional Information

Source Context                system_u:system_r:httpd_sys_script_t
Target Context                system_u:object_r:etc_mail_t
Target Objects                /etc/mail [ dir ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc7
                              [application]sendmail-8.14.1-4.2.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-43.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_bad_labels
Host Name                     fedora-pc.huijbers.net
Platform                      Linux fedora-pc.huijbers.net 2.6.22.9-91.fc7 #1
                              SMP Thu Sep 27 23:10:59 EDT 2007 i686 i686
Alert Count                   3
First Seen                    Mon Sep 24 19:12:08 2007
Last Seen                     Sat Sep 29 09:52:57 2007
Local ID                      c605f30f-9512-4d7b-b7f7-a39d5f62cd74
Line Numbers

Raw Audit Messages

avc: denied { getattr } for comm="sendmail" dev=dm-0 egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=-13 fsgid=51 fsuid=48 gid=48 items=0
name="mail" path="/etc/mail" pid=3342
scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir
tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48

[root@fedora-pc ~]# sealert -l eec295ce-257d-4ce7-ac56-c771da1c854c
Summary
    SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
    "create" to <Unknown> (httpd_sys_script_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
    expected that this access is required by /usr/sbin/sendmail.sendmail and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information

Source Context                system_u:system_r:httpd_sys_script_t
Target Context                system_u:system_r:httpd_sys_script_t
Target Objects                None [ unix_dgram_socket ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-43.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     fedora-pc.huijbers.net
Platform                      Linux fedora-pc.huijbers.net 2.6.22.9-91.fc7 #1
                              SMP Thu Sep 27 23:10:59 EDT 2007 i686 i686
Alert Count                   3
First Seen                    Mon Sep 24 19:12:08 2007
Last Seen                     Sat Sep 29 09:52:57 2007
Local ID                      eec295ce-257d-4ce7-ac56-c771da1c854c
Line Numbers

Raw Audit Messages

avc: denied { create } for comm="sendmail" egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=-13 fsgid=51 fsuid=48 gid=48 items=0
pid=3342 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=unix_dgram_socket
tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48






Comment 3 Daniel Walsh 2007-10-03 17:27:14 EDT
It should work it you turn on the httpd_can_sendmail boolean

setsebool -P httpd_can_sendmail 1

Note You need to log in before you can comment on or make changes to this bug.