Bug 453707 - SELinux is preventing sendmail (system_mail_t) "append" to /var/www/html/dhighley/logs/www-error (httpd_sys_content_t).
SELinux is preventing sendmail (system_mail_t) "append" to /var/www/html/dhig...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-02 01:27 EDT by David Highley
Modified: 2008-07-02 09:15 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-02 09:15:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Highley 2008-07-02 01:27:31 EDT
Description of problem:
Logging errors when sending E-mail via squirrel mail

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-109.fc8

How reproducible:


Steps to Reproduce:
1.https://www.server.com/webmail/
2.compose an E-mail
3.send E-mail
  
Actual results:
After setting the Boolean to Allow http daemon to send mail, sending of E-mail
via squirrel mail works. But selinux is still logging an error:

type=AVC msg=audit(1214973802.839:1909): avc:  denied  { getattr } for  pid=3845
comm="sendmail" path="/etc/mail/submit.cf" dev=dm-0 ino=13946875
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0
tclass=file
type=SYSCALL msg=audit(1214973802.839:1909): arch=c000003e syscall=4 success=no
exit=-13 a0=7f232f445100 a1=7fff371f95a0 a2=7fff371f95a0 a3=0 items=0 ppid=16658
pid=3845 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51
fsgid=51 tty=(none) ses=4294967295 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1214973802.854:1910): avc:  denied  { getattr } for  pid=3845
comm="sendmail" path="/etc/mail/sendmail.cf" dev=dm-0 ino=13946873
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0
tclass=file
type=SYSCALL msg=audit(1214973802.854:1910): arch=c000003e syscall=4 success=no
exit=-13 a0=7fff371f4590 a1=7fff371f55f0 a2=7fff371f55f0 a3=7fff371f45a5 items=0
ppid=16658 pid=3845 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null)
type=MAC_CONFIG_CHANGE msg=audit(1214973846.220:1911): bool=httpd_can_sendmail
val=1 old_val=0 auid=0 ses=303
type=USER_AVC msg=audit(1214973846.227:1912): user pid=1868 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: 
received policyload notice (seqno=5) : exe="?" (sauid=81, hostname=?, addr=?,
terminal=?)'
type=SYSCALL msg=audit(1214973846.220:1911): arch=c000003e syscall=1 success=yes
exit=2 a0=6 a1=7fff96073d80 a2=2 a3=577082 items=0 ppid=3851 pid=3852 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=303
comm="setsebool" exe="/usr/sbin/setsebool" subj=system_u:system_r:setsebool_t:s0
key=(null)
type=AVC msg=audit(1214973858.726:1913): avc:  denied  { append } for  pid=3854
comm="sendmail" path="/var/www/html/dhighley/logs/www-error" dev=dm-0
ino=9984485 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1214973858.726:1913): avc:  denied  { append } for  pid=3854
comm="sendmail" path="/var/www/html/dhighley/logs/www-access" dev=dm-0
ino=9984483 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1214973858.726:1913): avc:  denied  { append } for  pid=3854
comm="sendmail" path="/var/www/html/dhighley/logs/www-access" dev=dm-0
ino=9984483 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1214973858.726:1913): avc:  denied  { append } for  pid=3854
comm="sendmail" path="/var/www/html/dhighley/logs/www-access" dev=dm-0
ino=9984483 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1214973858.726:1913): arch=c000003e syscall=59
success=yes exit=0 a0=198ad50 a1=198afd0 a2=198ae00 a3=8 items=0 ppid=16644
pid=3854 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51
fsgid=51 tty=(none) ses=4294967295 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)


Expected results:


Additional info:
Comment 1 Daniel Walsh 2008-07-02 09:15:43 EDT
This looks like a local customization, so you need to provide locat policy

# grep system_mail /var/log/audit/audit.log | audit2allow -M mymail
# semodule -i mymail.pp

Note You need to log in before you can comment on or make changes to this bug.