Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 745380 - SELinux seems to block sending e-mails from the squirrelmail web interface
SELinux seems to block sending e-mails from the squirrelmail web interface
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: squirrelmail (Show other bugs)
5.8
All Linux
unspecified Severity low
: rc
: ---
Assigned To: Michal Hlavinka
qe-baseos-daemons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-12 04:04 EDT by Răzvan Sandu
Modified: 2013-01-07 23:59 EST (History)
5 users (show)

See Also:
Fixed In Version: squirrelmail-1.4.8-19.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-07 23:59:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0126 normal SHIPPED_LIVE Low: squirrelmail security and bug fix update 2013-01-08 04:21:41 EST

  None (edit)
Description Răzvan Sandu 2011-10-12 04:04:44 EDT 
Description of problem:

SELinux seems to block sending e-mails from the squirrelmail web interface.

Error message is (in squirrelmail):

"75 Can't execute command '/usr/sbin/sendmail -i -t -fsender@example.com"

Message goes if setenforce = 0.


Version-Release number of selected component (if applicable):

This was tested on CentOS 6.0 and squirrelmail from 6.0 EPEL (this bug was put here because squirrelmail seems to be excluded from 6.x).

squirrelmail-1.4.22-2.el6.noarch
selinux-policy-targeted-3.7.19-93.el6_1.7.noarch
postfix-2.6.6-2.1.el6_0.x86_64

  
Actual results:
SELinux blocks squirrelmail, with the above message.

Expected results:
The default SELinux policy should allow normal operation of squirrelmail in all Red Hat-based distros.
Comment 1 Daniel Walsh 2011-10-12 09:24:44 EDT 
What AVC's are you seeing?

I am not sure if squirrelmail needs the httpd_can_sendmail boolean turned on.

setsebool -P httpd_can_sendmail 1
Comment 2 Răzvan Sandu 2011-10-12 10:35:00 EDT 
Hello,


With SELinux enabled, ausearch gives me this:

type=SYSCALL msg=audit(1318429512.012:45963): arch=c000003e syscall=80 success=no exit=-13 a0=7f9167a5b250 a1=7f9167a5c3b0 a2=2000 a3=7fffab330ec0 items=0 ppid=60132 pid=57437 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=41 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1318429512.012:45963): avc:  denied  { search } for  pid=57437 comm="sendmail" name="postfix" dev=sda2 ino=10224303 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir 


and I also have


sendmail: fatal: chdir /var/spool/postfix: Permission denied

in /etc/httpd/logs/error_log


Thanks a lot,
Răzvan
Comment 3 Daniel Walsh 2011-10-12 13:53:07 EDT 
Did you turn on the boolean?
Comment 4 Răzvan Sandu 2011-10-17 07:46:13 EDT 
Hello,

I may confirm that setting the httpd_can_sendmail boolean to 1 apparently solved the problem:

setsebool -P httpd_can_sendmail 1

IMHO, this SELinux setting should be automagically turned on by the squirrelmail package, when installing squirrelmail (OR default in selinux-policy-targeted). Could you please Cc the squirrelmail package maintainer ?


Many thanks,
Răzvan
Comment 5 Daniel Walsh 2011-10-17 14:06:40 EDT 
I don't think that would be a good idea since people could install the squirrelmail package without every intending to use it (Everything install).

But we probably should put it in the Readme/Documentation.
Comment 6 Răzvan Sandu 2011-10-17 14:39:34 EDT 
The distro is big these days, squirrelmail is not even part of the new 6.x series in RHEL and CentOS and there is no „Install Everyting” option in anaconda.

People who want squrrelmail must specifically dig for it in EPEL.

IMHO, the security vs. usability balance inclines to usability here, since the risk of installing squirrelmail when not really intending to is practically zero.

Răzvan
Comment 7 Michal Hlavinka 2012-03-06 05:00:42 EST 
With correct selinux boolean set, it should work, lowering severity. This bug will be documentation change only.
Comment 8 RHEL Product and Program Management 2012-04-02 06:33:30 EDT 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 15 errata-xmlrpc 2013-01-07 23:59:42 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0126.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.