Bug 480079 - insufficient policy for SquirrelMail
Summary: insufficient policy for SquirrelMail
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 10
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-01-14 22:42 UTC by Vadym Chepkov
Modified: 2009-01-15 15:54 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-15 15:54:36 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Vadym Chepkov 2009-01-14 22:42:27 UTC 
I have SquirrelMail installed and this is a webmail interfaces. It doesn't work with standard selinux configuration, because in order to work it needs to connect to imap and smtp port ports for mail receiving/sending.

It can be bypassed by setting httpd_can_network_connect --> on, but I think it's too permissive. 

I added these rules to my local policy:

allow httpd_t pop_port_t:tcp_socket name_connect;
allow httpd_t smtp_port_t:tcp_socket name_connect;
Comment 1 Daniel Walsh 2009-01-15 15:24:13 UTC 
Does it work if you set

httpd_can_sendmail?
Comment 2 Vadym Chepkov 2009-01-15 15:38:41 UTC 
It does, my bad.

In my defense, httpd_selinux(8) description of this boolean mentions only sendmail invocation and in this case httpd doesn't actually call sendmail.

Thank you.
Comment 3 Daniel Walsh 2009-01-15 15:54:36 UTC 
No problem, we are having a doc writer review all of the services documentation so things like this hopefully will become clearer.
Note You need to log in before you can comment on or make changes to this bug.