Bug 480079 - insufficient policy for SquirrelMail
insufficient policy for SquirrelMail
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-14 17:42 EST by Vadym Chepkov
Modified: 2009-01-15 10:54 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-15 10:54:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vadym Chepkov 2009-01-14 17:42:27 EST
I have SquirrelMail installed and this is a webmail interfaces. It doesn't work with standard selinux configuration, because in order to work it needs to connect to imap and smtp port ports for mail receiving/sending.

It can be bypassed by setting httpd_can_network_connect --> on, but I think it's too permissive. 

I added these rules to my local policy:

allow httpd_t pop_port_t:tcp_socket name_connect;
allow httpd_t smtp_port_t:tcp_socket name_connect;
Comment 1 Daniel Walsh 2009-01-15 10:24:13 EST
Does it work if you set

httpd_can_sendmail?
Comment 2 Vadym Chepkov 2009-01-15 10:38:41 EST
It does, my bad.

In my defense, httpd_selinux(8) description of this boolean mentions only sendmail invocation and in this case httpd doesn't actually call sendmail.

Thank you.
Comment 3 Daniel Walsh 2009-01-15 10:54:36 EST
No problem, we are having a doc writer review all of the services documentation so things like this hopefully will become clearer.

Note You need to log in before you can comment on or make changes to this bug.