Fedora Linux Support Community & Resources Center

Home Forums Posting Rules Linux Help Fedora Set-Up Guides Ask Fedora Fedora Project
Go Back   FedoraForum.org > Fedora 17/18 > Security and Privacy
Reload this Page SELinux prevents Squirrelmail from sending
FedoraForum Search
Forgot Password? Join Us!
Register All Albums FAQ Search Today's Posts Mark Forums Read

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 7th June 2006, 03:23 PM
termdex Offline
Registered User
  
Join Date: Jul 2005
Posts: 2
SELinux prevents Squirrelmail from sending
Just setup a FC5 server with SquirrelMail...
Already did the connect boolean thing so I can login...
But now when I try to send a message through SquirrelMail nothing happens.
Checking /var/log/messages shows:

Jun 7 07:33:41 host1 kernel: audit(1149687221.585:503): avc: denied { execute } for pid=5499 comm="httpd" name="bash" dev=hda2 ino=32289 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

And I get one of these for every message I try to send with SquirrelMail.
Apparently, SquirrelMail has httpd shellout to do something which selinux prevents. I never had this problem on FC3, the previous server.

I found a selinux apache man page
http://fedoraproject.org/wiki/SELinux/apache
where "You can disable SELinux protection for the httpd daemon by executing:

setsebool -P httpd_disable_trans 1
service httpd restart
"

But I'd rather fix just this specific issue than unilaterly disabling SElinux for apache.
Reply With Quote
  #2  
Old 2nd August 2006, 12:21 PM
bhaskar Offline
Registered User
  
Join Date: Aug 2006
Posts: 1
Fedora Core 5 Squirrelmail and selinux - not sending emails - .te fixed
Sending emails from squirrelmail-1.4.7-4.fc5.noarch.rpm on Fedora Core 5
I also had very tough time in patching up the selinux. I do not want to
remove security to httpd via selinux.
Here is the solution atlast I found
Create local.te with vi
=========
local.te
==========

module httpd 1.0;

require {
class file { execute getattr read write };
class file execute_no_trans;
class tcp_socket name_connect;
type httpd_t;
type shell_exec_t;
type pop_port_t;
type dovecot_auth_t;
type initrc_var_run_t;
type prelink_t;
type shell_exec_t;
type src_t;
type tmp_t;
role system_r;
};

allow httpd_t pop_port_t:tcp_socket name_connect;
allow httpd_t shell_exec_t:file execute_no_trans;
allow dovecot_auth_t initrc_var_run_t:file { read write };
allow httpd_t shell_exec_t:file execute;
allow httpd_t shell_exec_t:file read;
allow httpd_t tmp_t:file { getattr read };
allow prelink_t src_t:file read;

#ALLOW=local
#checkmodule -M -m -o $ALLOW.mod $ALLOW.te
#semodule_package -o $ALLOW.pp -m $ALLOW.mod
#semodule -i $ALLOW.pp

This will install local.te rules and now it should send the email
I am using default dovecot

Hope this is useful

Bhaskar
Reply With Quote
Reply

Tags
prevents, selinux, sending, squirrelmail

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Selinux prevents wireless connection relayer Servers & Networking 0 24th January 2009 08:18 PM
SELinux prevents login after FC9 upgrade jak56 Security and Privacy 2 20th June 2008 12:04 AM
SELinux prevents logwatch email cwebster Security and Privacy 4 3rd June 2008 07:44 PM


Current GMT-time: 13:29 (Wednesday, 22-05-2013)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.
Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

 FedoraForum is Powered by RedHat