Bug 745380
| Summary: | SELinux seems to block sending e-mails from the squirrelmail web interface | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Răzvan Sandu <rsandu2004> |
| Component: | squirrelmail | Assignee: | Michal Hlavinka <mhlavink> |
| Status: | CLOSED ERRATA | QA Contact: | qe-baseos-daemons |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 5.8 | CC: | asersen, azelinka, dwalsh, mmalik, ovasik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | squirrelmail-1.4.8-19.el5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-01-08 04:59:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Răzvan Sandu
2011-10-12 08:04:44 UTC
What AVC's are you seeing? I am not sure if squirrelmail needs the httpd_can_sendmail boolean turned on. setsebool -P httpd_can_sendmail 1 Hello,
With SELinux enabled, ausearch gives me this:
type=SYSCALL msg=audit(1318429512.012:45963): arch=c000003e syscall=80 success=no exit=-13 a0=7f9167a5b250 a1=7f9167a5c3b0 a2=2000 a3=7fffab330ec0 items=0 ppid=60132 pid=57437 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=41 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1318429512.012:45963): avc: denied { search } for pid=57437 comm="sendmail" name="postfix" dev=sda2 ino=10224303 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
and I also have
sendmail: fatal: chdir /var/spool/postfix: Permission denied
in /etc/httpd/logs/error_log
Thanks a lot,
Răzvan
Did you turn on the boolean? Hello, I may confirm that setting the httpd_can_sendmail boolean to 1 apparently solved the problem: setsebool -P httpd_can_sendmail 1 IMHO, this SELinux setting should be automagically turned on by the squirrelmail package, when installing squirrelmail (OR default in selinux-policy-targeted). Could you please Cc the squirrelmail package maintainer ? Many thanks, Răzvan I don't think that would be a good idea since people could install the squirrelmail package without every intending to use it (Everything install). But we probably should put it in the Readme/Documentation. The distro is big these days, squirrelmail is not even part of the new 6.x series in RHEL and CentOS and there is no „Install Everyting” option in anaconda. People who want squrrelmail must specifically dig for it in EPEL. IMHO, the security vs. usability balance inclines to usability here, since the risk of installing squirrelmail when not really intending to is practically zero. Răzvan With correct selinux boolean set, it should work, lowering severity. This bug will be documentation change only. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0126.html |