Description of problem: After installing a somewhat "typical" php/web application, it was discovered that SELinux was blocking access for postfix to pipe into php. Version-Release number of selected component (if applicable): 2.4.6-300.el5_6.1 How reproducible: 100% Steps to Reproduce: 1. install/configure postfix 2. install something in /var/www/html 3. try to pipe to it Actual results: SELinux denies the access Expected results: SELinux should be (more) easily configurable to allow the access Additional info: So I don't really feel that this is a "bug" in selinux-policy exactly. It may be useful to have some kind of boolean to allow postfix/pipe to access httpd/databases. I would think that it is "common" to want to process email via postfix and then send it via pipe to some kind of web program. The following policy was generated by audit2allow. All of this is required for "my" specific use-case, but I am guessing this is not that uncommon of a use case to begin with. The specific web application being used is OSTicket, a PHP-based helpdesk. Would it make more sense to somehow package this as a policy module for OSTicket, if it were packaged as an RPM? The difficulty there is that someone could be using any MTA with OSTicket, not necessarily postfix. Seems like making this associated with postfix covers more use cases. Output: module postfix 1.0; require { type mysqld_var_run_t; type usr_t; type httpd_var_run_t; type mysqld_t; type mysqld_db_t; type httpd_sys_content_t; type system_mail_t; type postfix_pipe_t; class sock_file write; class unix_stream_socket { read write connectto }; class dir { write search add_name getattr }; class file { write getattr ioctl read lock create execute execute_no_trans }; } #============= postfix_pipe_t ============== allow postfix_pipe_t httpd_sys_content_t:dir { search getattr }; allow postfix_pipe_t httpd_sys_content_t:file { read execute ioctl execute_no_trans getattr }; allow postfix_pipe_t httpd_var_run_t:dir { write search add_name }; allow postfix_pipe_t httpd_var_run_t:file { write lock create getattr }; allow postfix_pipe_t mysqld_db_t:dir search; allow postfix_pipe_t mysqld_t:unix_stream_socket connectto; allow postfix_pipe_t mysqld_var_run_t:sock_file write; allow postfix_pipe_t usr_t:file { read getattr }; #============= system_mail_t ============== allow system_mail_t postfix_pipe_t:unix_stream_socket { read write };
I am interested in allow postfix_pipe_t httpd_sys_content_t:file { read execute ioctl execute_no_trans getattr }; What is executed by postfix pipe? I mean a path to a script?
Here's the example pipe from my master.cf for my use case: ### osticket pipe osticket unix - n n - - pipe flags=Fq user=apache:apache argv=/var/www/html/helpdesk/api/pipe.php ${sender} OSTicket is a PHP application for helpdesk-type ticketing. When emails come in for a particular user, they are piped (via postfix pipe) to this php script so that OSTicket can ingest them. In this case, that's essentially the crux of the missing SELinux policy -- pipe should be able to access httpd content and execute things like php scripts, for users who wish for it to be able to do so.
I would image allow it using a new boolean which could contain apache_domtrans_sys_script(postfix_pipe_t) which would require also to have enabled "httpd_enable_cgi" & "httpd_unified" booleans. Could you test it with the following local policy # cat mypostfix.te policy_module(mypostfix, 1.0) require{ type postfix_pipe_t; } apache_domtrans_sys_script(postfix_pipe_t) --- # make -f /usr/share/selinux/devel/Makefile # semodule -i mypostfix.pp and # setsebool httpd_enable_cgi on # setsebool httpd_unified on
Do I need to unload the module I compiled based on my initial comment, or is the module you're suggesting in addition to what I've already compiled/installed?
Yes, please, unload your module. I would like to see all AVC msgs.
Erik, any update on this?
Been travelling like a madman. Hopefully the week after next. I need to take some PTO, too, so we'll see. Sorry!
Doesn't look like it worked: ==> /var/log/maillog <== Nov 22 14:43:42 rails3 postfix/pickup[2223]: AC0B230787: uid=0 from=<root> Nov 22 14:43:42 rails3 postfix/cleanup[3535]: AC0B230787: message-id=<20111122144342.GA3471.baz> Nov 22 14:43:42 rails3 postfix/qmgr[2224]: AC0B230787: from=<root.baz>, size=397, nrcpt=1 (queue active) Nov 22 14:43:43 rails3 postfix/smtpd[3542]: connect from rails3.bar.baz[127.0.0.1] Nov 22 14:43:43 rails3 postfix/smtpd[3542]: 500B2304E3: client=rails3.bar.baz[127.0.0.1] Nov 22 14:43:43 rails3 postfix/cleanup[3535]: 500B2304E3: message-id=<20111122144342.GA3471.baz> Nov 22 14:43:43 rails3 postfix/qmgr[2224]: 500B2304E3: from=<root.baz>, size=862, nrcpt=1 (queue active) Nov 22 14:43:43 rails3 postfix/smtpd[3542]: disconnect from rails3.bar.baz[127.0.0.1] Nov 22 14:43:43 rails3 pipe[3544]: fatal: pipe_command: execvp /var/www/html/helpdesk/api/pipe.php: Permission denied Nov 22 14:43:43 rails3 amavis[2329]: (02329-01) Passed CLEAN, <root.baz> -> <"support"@osticket.bar.baz>, Message-ID: <20111122144342.GA3471.baz>, mail_id: VLHc+62U54rD, Hits: -0.001, queued_as: 500B2304E3, 746 ms Nov 22 14:43:43 rails3 postfix/lmtp[3537]: AC0B230787: to=<support@osticket.bar.baz>, orig_to=<support>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.92, delays=0.17/0.01/0.01/0.74, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=02329-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 500B2304E3) Nov 22 14:43:43 rails3 postfix/qmgr[2224]: AC0B230787: removed Nov 22 14:43:43 rails3 postfix/pipe[3543]: 500B2304E3: to=<support@osticket.bar.baz>, relay=osticket, delay=0.28, delays=0.17/0.01/0/0.1, dsn=4.3.0, status=deferred (temporary failure. Command output: pipe: fatal: pipe_command: execvp /var/www/html/helpdesk/api/pipe.php: Permission denied ) ==> /var/log/audit/audit.log <== type=AVC msg=audit(1321973023.508:101): avc: denied { search } for pid=3544 comm="pipe" name="www" dev=dm-0 ino=197955 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1321973023.508:101): arch=40000003 syscall=11 success=no exit=-13 a0=890c548 a1=890bf38 a2=890c5d8 a3=30 items=0 ppid=3543 pid=3544 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe" exe="/usr/libexec/postfix/pipe" subj=system_u:system_r:postfix_pipe_t:s0 key=(null) root.baz ~/selinux> semodule -l aisexec 1.0.0 amavis 1.1.0 ccs 1.0.0 clamav 1.1.0 clogd 1.0.0 dcc 1.1.0 dnsmasq 1.1.1 evolution 1.1.0 ipsec 1.4.0 iscsid 1.0.0 milter 1.0.0 mozilla 1.1.0 mplayer 1.1.0 mypostfix 1.0 nagios 1.1.0 oddjob 1.0.1 pcscd 1.0.0 piranha 1.0.0 postgrey 1.1.0 prelude 1.0.0 pyzor 1.1.0 qemu 1.1.2 razor 1.1.0 rgmanager 1.0.0 rhcs 1.1.0 ricci 1.0.0 rsyslog 1.0 smartmon 1.1.0 spamassassin 1.9.0 sssd 1.0.2 vhostmd 1.0.0 virt 1.2.1 zarafa 1.2 zosremote 1.0.0 root.baz ~/selinux> getsebool -a | grep httpd httpd_enable_cgi --> on httpd_unified --> on root.baz ~/selinux> cat mypostfix.te policy_module(mypostfix, 1.0) require{ type postfix_pipe_t; } apache_domtrans_sys_script(postfix_pipe_t)
root.baz ~/selinux> yum list installed '*selinux*' Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.us.leaseweb.net * extras: mirror.highspeedweb.net * updates: ftp.usf.edu Installed Packages libselinux.i386 1.33.4-5.7.el5 libselinux-devel.i386 1.33.4-5.7.el5 libselinux-python.i386 1.33.4-5.7.el5 libselinux-ruby.i386 1.33.4-5.7.el5 libselinux-utils.i386 1.33.4-5.7.el5 selinux-policy.noarch 2.4.6-316.el5 selinux-policy-devel.noarch 2.4.6-316.el5 selinux-policy-targeted.noarch 2.4.6-316.el5
Erik, could you switch to permissive mode for all AVC msgs. # setenforce 0 re-test it and # ausearch -m avc -ts recent Thank you.
I know, I'm a slowpoke. root.baz /var/www/html/helpdesk/api> ausearch -m avc -ts recent ---- time->Thu Dec 22 15:19:35 2011 type=SYSCALL msg=audit(1324567175.526:73): arch=40000003 syscall=11 success=no exit=-13 a0=89ec550 a1=89ebf40 a2=89ec5e0 a3=30 items=0 ppid=2948 pid=2949 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe" exe="/usr/libexec/postfix/pipe" subj=system_u:system_r:postfix_pipe_t:s0 key=(null) type=AVC msg=audit(1324567175.526:73): avc: denied { search } for pid=2949 comm="pipe" name="helpdesk" dev=dm-0 ino=426749 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=dir type=AVC msg=audit(1324567175.526:73): avc: denied { search } for pid=2949 comm="pipe" name="www" dev=dm-0 ino=197955 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir ---- time->Thu Dec 22 15:24:48 2011 type=SYSCALL msg=audit(1324567488.032:80): arch=40000003 syscall=11 success=no exit=-13 a0=85ab550 a1=85aaf40 a2=85ab5e0 a3=30 items=0 ppid=3179 pid=3180 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe" exe="/usr/libexec/postfix/pipe" subj=system_u:system_r:postfix_pipe_t:s0 key=(null) type=AVC msg=audit(1324567488.032:80): avc: denied { search } for pid=3180 comm="pipe" name="helpdesk" dev=dm-0 ino=426749 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=dir type=AVC msg=audit(1324567488.032:80): avc: denied { search } for pid=3180 comm="pipe" name="www" dev=dm-0 ino=197955 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir ---- time->Thu Dec 22 15:27:25 2011 type=SYSCALL msg=audit(1324567645.277:82): arch=40000003 syscall=5 success=yes exit=4 a0=bf94e218 a1=42 a2=180 a3=8ca8a24 items=0 ppid=3227 pid=3228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe.php" exe="/usr/bin/php" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1324567645.277:82): avc: denied { create } for pid=3228 comm="pipe.php" name="sess_1ap4pntrt4bdr4r83ssj7le4l0" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file type=AVC msg=audit(1324567645.277:82): avc: denied { add_name } for pid=3228 comm="pipe.php" name="sess_1ap4pntrt4bdr4r83ssj7le4l0" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir type=AVC msg=audit(1324567645.277:82): avc: denied { write } for pid=3228 comm="pipe.php" name="session" dev=dm-0 ino=295350 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir type=AVC msg=audit(1324567645.277:82): avc: denied { search } for pid=3228 comm="pipe.php" name="session" dev=dm-0 ino=295350 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir ---- time->Thu Dec 22 15:27:25 2011 type=SYSCALL msg=audit(1324567645.163:81): arch=40000003 syscall=5 success=no exit=-2 a0=bf9522e8 a1=0 a2=1b6 a3=8b9c038 items=0 ppid=3227 pid=3228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe.php" exe="/usr/bin/php" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1324567645.163:81): avc: denied { search } for pid=3228 comm="pipe.php" name="postfix" dev=dm-0 ino=197490 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir ---- time->Thu Dec 22 15:27:25 2011 type=SYSCALL msg=audit(1324567645.278:83): arch=40000003 syscall=143 success=yes exit=0 a0=4 a1=2 a2=0 a3=8ca8a24 items=0 ppid=3227 pid=3228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe.php" exe="/usr/bin/php" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1324567645.278:83): avc: denied { lock } for pid=3228 comm="pipe.php" path="/var/lib/php/session/sess_1ap4pntrt4bdr4r83ssj7le4l0" dev=dm-0 ino=297576 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file ---- time->Thu Dec 22 15:27:25 2011 type=SYSCALL msg=audit(1324567645.278:84): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bf94f1c0 a2=71fff4 a3=3 items=0 ppid=3227 pid=3228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe.php" exe="/usr/bin/php" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1324567645.278:84): avc: denied { getattr } for pid=3228 comm="pipe.php" path="/var/lib/php/session/sess_1ap4pntrt4bdr4r83ssj7le4l0" dev=dm-0 ino=297576 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file ---- time->Thu Dec 22 15:27:25 2011 type=SYSCALL msg=audit(1324567645.303:85): arch=40000003 syscall=181 success=yes exit=33 a0=4 a1=8e1d8e4 a2=21 a3=0 items=0 ppid=3227 pid=3228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe.php" exe="/usr/bin/php" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1324567645.303:85): avc: denied { write } for pid=3228 comm="pipe.php" path="/var/lib/php/session/sess_1ap4pntrt4bdr4r83ssj7le4l0" dev=dm-0 ino=297576 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
Please let me know if there is any additional information I can provide to speed this along.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Hi, It's been a really long time. Will this make it into RHEL5 or is this going to only be in RHEL6?
We are going to fix it in RHEL6+.