Bug 799135 - rt3 needs SELinux policy to allow sending mail
rt3 needs SELinux policy to allow sending mail
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: rt3 (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Ralf Corsepius
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-01 15:47 EST by Gabriel Somlo
Modified: 2012-03-05 03:48 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-02 14:41:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gabriel Somlo 2012-03-01 15:47:42 EST
Description of problem:

stock up-to-date F16 install with rt3 installed and configured can not send email due to SELinux AVC denials


Version-Release number of selected component (if applicable):

rt3-3.8.11-6.fc16.noarch


How reproducible:

open new ticket on fresh RT installation


Steps to Reproduce:
1. install and initialize RT on fresh Fedora 16 box
2. open new ticket (e.g. via web u/i)
3. error entry gets logged right after initial ticket entry:

Actual results:

Second entry logged for the ticket reads:

The RT System itself - System error
Sending the previous mail has failed. Please contact your admin, they can find more details in the logs
  
Expected results:

The entry should read like this instead:

The RT System itself - Outgoing email recorded 

Additional info:

I poked around with 'audit2allow' and came up with the following policy to make the problem go away:

module ini_rt3_mail 1.0;

require {
        type mqueue_spool_t;
        type httpd_t;
        type etc_mail_t;
        class process setrlimit;
        class dir { write search getattr add_name };
        class file { write getattr read lock create open }; 
}       
#============= httpd_t ==============
allow httpd_t etc_mail_t:dir { search getattr };
allow httpd_t etc_mail_t:file { read getattr open }; 
allow httpd_t mqueue_spool_t:dir { write search getattr add_name };
allow httpd_t mqueue_spool_t:file { lock read write getattr create open }; 
allow httpd_t self:process setrlimit;

Please consider adding a rt3-selinux subpackage as per
http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

Thanks,
--G
Comment 1 Ralf Corsepius 2012-03-02 13:40:39 EST
Well, I do not understand why rt3 would need special SElinux rules to send emails, but my knowledge on SELinux rules is close to null.

CC:-ing the selinux maintainers, may-be they can help.
Comment 2 Daniel Walsh 2012-03-02 14:41:08 EST
If you want to setup apache to send mail then you need to turn on the httpd_can_sendmail boolean.

setsebool -P httpd_can_sendmail 1
Comment 3 Gabriel Somlo 2012-03-02 14:53:12 EST
Thanks, setting the httpd_can_sendmail boolean took care of it !
Comment 4 Miroslav Grepl 2012-03-05 03:48:45 EST
Also setroubleshoot should tell you what to do or you can see more info using

$ man httpd_selinux

Note You need to log in before you can comment on or make changes to this bug.