For posterity's sake:
Upgrading the SELinux policy had some unintended side effects. The new policy
had a more restrictive context for httpd. I had to grant httpd a lot of
additional permissions. This is probably poor security, but I figure it is
better than disabling SELinux completely--which is the only other option that
I currently know about.
I created a file /etc/selinux/targeted/src/policy/domains/misc/local.te with
these contents:
# Allow httpd to write so that Issue Tracker will work.
allow httpd_t httpd_sys_content_t:dir {write | add_name | remove_name};
allow httpd_t httpd_sys_content_t:file {append | create | write | setattr |
rename};
I then did:
# cd /etc/selinux/targeted/src/policy
# make reload
Things seem to be working now.
Richard Esplin
On Friday 13 May 2005 10:10, Richard Esplin wrote:
> Success!
>
> I went to rpmfind and downloaded
> selinux-policy-targeted-1.17.30-3.2.noarch.rpm
> selinux-policy-targeted-sources-1.17.30-3.2.noarch.rpm
>
> I uninstalled the previous rpms (using --nodeps), and installed these rpms.
> The sources rpm gave a fixfiles error. I then ran:
>
> fixfiles -R selinux-policy-targeted-sources restore
> fixfiles -R postfix restore
>
> And PHP mail works!
>
> I still get this error:
> May 13 10:04:26 legolas kernel: audit(1116000266.637:0): avc: denied
> { getattr } for pid=26577 exe=/usr/sbin/postdrop
> path=/var/spool/postfix/public/pickup dev=md1 ino=438092
> scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
> tclass=fifo_file
>
> But mail is being delivered, so I'm ignoring it.
>
> I hope that my policy change doesn't have any negative side-effects.
>
> Thanks for the help, Jordan.
>
> Richard Esplin
>
<snip>
.===================================.
| This has been a P.L.U.G. mailing. |
| Don't Fear the Penguin. |
| IRC: #utah at irc.freenode.net |
`==================================='
