Bug 426583 - SELinux, Apache, Postfix
SELinux, Apache, Postfix
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-22 11:29 EST by Anthony Messina
Modified: 2008-01-30 14:06 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:06:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2007-12-22 11:29:07 EST
Description of problem:
On a fully-updated F7 system, with selinux-policy-2.6.4-63.fc7 in permissive 
mode, I get the following errors when an email is sent by apache (httpd):

Actual results:
avc: denied { append } for comm="postdrop" dev=sda2 egid=90 euid=48 
exe="/usr/sbin/postdrop" exit=0 fsgid=90 fsuid=48 gid=48 items=0 
path="/var/log/httpd/error_log" pid=28964 
scontext=system_u:system_r:postfix_postdrop_t:s0 sgid=90 
subj=system_u:system_r:postfix_postdrop_t:s0 suid=48 tclass=file 
tcontext=root:object_r:httpd_log_t:s0 tty=(none) uid=48

avc: denied { getattr } for comm="postdrop" dev=sda2 egid=90 euid=48 
exe="/usr/sbin/postdrop" exit=0 fsgid=90 fsuid=48 gid=48 items=0 
path="/var/log/httpd/error_log" pid=28964 
scontext=system_u:system_r:postfix_postdrop_t:s0 sgid=90 
subj=system_u:system_r:postfix_postdrop_t:s0 suid=48 tclass=file 
tcontext=root:object_r:httpd_log_t:s0 tty=(none) uid=48

Expected results:
No SELinux denials when apache tries to send emails.

Additional info:
allow_httpd_anon_write --> on
allow_httpd_dbus_avahi --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> on
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> on
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_ssi_exec --> off
httpd_tty_comm --> off
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
Comment 1 Daniel Walsh 2007-12-25 07:47:50 EST
# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-2.6.4-66.fc7
Comment 2 Daniel Walsh 2008-01-30 14:06:21 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.