Re: [CentOS] SELInux conflict with Postfixadmin
On 02/21/2017 12:06 PM, Daniel J Walsh wrote: On 02/21/2017 11:52 AM, Robert Moskowitz wrote: On 02/21/2017 11:46 AM, Zdenek Sedlak wrote: On 2017-02-21 17:30, Robert Moskowitz wrote: postfixadmin setup.php is claiming: *Error: Smarty template compile directory templates_c is not writable.* *Please make it writable.* *If you are using SELinux or AppArmor, you might need to adjust their setup to allow write access.* This goes away with 'setenforce 0', so it is an SELinux issue. I have tried both: restorecon -Rv /usr/share/postfixadmin and chcon -R -t httpd_sys_content_t /usr/share/postfixadmin and they are not the problem. Googling this message doe snot produce any SELinux advice. Any ideas? thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Hi, after 'setenforce 0' check the /var/log/audit/audit.log: # grep /var/log/audit/audit.log | audit2why Don't I need a search string in that grep command? to see where the problem could be. Anyway the last three entries are: type=AVC msg=audit(1487695678.704:128): avc: denied { write } for pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1 If you want to allow apache processes to write to the templates_c directory you need to label it httpd_sys_content_rw_t. Thanks! I undid the httpd_unified with: setsebool -P httpd_unified 0 Then did chcon -R -t httpd_sys_content_rw_t /usr/share/postfixadmin/templates_c And SELinux appears to be happy. type=SYSCALL msg=audit(1487695678.704:128): arch=4028 syscall=33 per=80 success=yes exit=0 a0=813c3ed0 a1=2 a2=0 a3=0 items=0 ppid=2053 pid=2055 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1487695678.704:128): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELInux conflict with Postfixadmin
On 02/21/2017 11:52 AM, Robert Moskowitz wrote: > > > On 02/21/2017 11:46 AM, Zdenek Sedlak wrote: >> On 2017-02-21 17:30, Robert Moskowitz wrote: >>> postfixadmin setup.php is claiming: >>> >>> *Error: Smarty template compile directory templates_c is not writable.* >>> *Please make it writable.* >>> *If you are using SELinux or AppArmor, you might need to adjust their >>> setup to allow write access.* >>> >>> >>> This goes away with 'setenforce 0', so it is an SELinux issue. I have >>> tried both: >>> >>> restorecon -Rv /usr/share/postfixadmin >>> >>> and >>> >>> chcon -R -t httpd_sys_content_t /usr/share/postfixadmin >>> >>> and they are not the problem. Googling this message doe snot produce >>> any SELinux advice. >>> >>> Any ideas? >>> >>> thanks >>> >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> Hi, >> >> after 'setenforce 0' check the /var/log/audit/audit.log: >> >> # grep /var/log/audit/audit.log | audit2why > > Don't I need a search string in that grep command? > >> to see where the problem could be. > > Anyway the last three entries are: > > type=AVC msg=audit(1487695678.704:128): avc: denied { write } for > pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958 > scontext=system_u:system_r:httpd_t:s0 > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir > permissive=1 > If you want to allow apache processes to write to the templates_c directory you need to label it httpd_sys_content_rw_t. > type=SYSCALL msg=audit(1487695678.704:128): arch=4028 syscall=33 > per=80 success=yes exit=0 a0=813c3ed0 a1=2 a2=0 a3=0 items=0 > ppid=2053 pid=2055 auid=4294967295 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 > comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 > key=(null) > > type=PROCTITLE msg=audit(1487695678.704:128): > proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELInux conflict with Postfixadmin
On 02/21/2017 11:46 AM, Zdenek Sedlak wrote: On 2017-02-21 17:30, Robert Moskowitz wrote: postfixadmin setup.php is claiming: *Error: Smarty template compile directory templates_c is not writable.* *Please make it writable.* *If you are using SELinux or AppArmor, you might need to adjust their setup to allow write access.* This goes away with 'setenforce 0', so it is an SELinux issue. I have tried both: restorecon -Rv /usr/share/postfixadmin and chcon -R -t httpd_sys_content_t /usr/share/postfixadmin and they are not the problem. Googling this message doe snot produce any SELinux advice. Any ideas? thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Hi, after 'setenforce 0' check the /var/log/audit/audit.log: # grep /var/log/audit/audit.log | audit2why Don't I need a search string in that grep command? to see where the problem could be. Anyway the last three entries are: type=AVC msg=audit(1487695678.704:128): avc: denied { write } for pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1487695678.704:128): arch=4028 syscall=33 per=80 success=yes exit=0 a0=813c3ed0 a1=2 a2=0 a3=0 items=0 ppid=2053 pid=2055 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1487695678.704:128): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELInux conflict with Postfixadmin
On 02/21/2017 11:46 AM, Zdenek Sedlak wrote: On 2017-02-21 17:30, Robert Moskowitz wrote: postfixadmin setup.php is claiming: *Error: Smarty template compile directory templates_c is not writable.* *Please make it writable.* *If you are using SELinux or AppArmor, you might need to adjust their setup to allow write access.* This goes away with 'setenforce 0', so it is an SELinux issue. I have tried both: restorecon -Rv /usr/share/postfixadmin and chcon -R -t httpd_sys_content_t /usr/share/postfixadmin and they are not the problem. Googling this message doe snot produce any SELinux advice. Any ideas? thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Hi, after 'setenforce 0' check the /var/log/audit/audit.log: # grep /var/log/audit/audit.log | audit2why to see where the problem could be. Playing around a little with this, I added templates_c as the grep string and got: type=AVC msg=audit(1487695678.704:128): avc: denied { write } for pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1 Was caused by: The boolean httpd_unified was set incorrectly. Description: Allow httpd to unified Allow access by executing: # setsebool -P httpd_unified 1 So I tried that, and the error went away. Going to have to add audit2why in my notes. thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELInux conflict with Postfixadmin
On 2017-02-21 17:30, Robert Moskowitz wrote: > postfixadmin setup.php is claiming: > > *Error: Smarty template compile directory templates_c is not writable.* > *Please make it writable.* > *If you are using SELinux or AppArmor, you might need to adjust their > setup to allow write access.* > > > This goes away with 'setenforce 0', so it is an SELinux issue. I have > tried both: > > restorecon -Rv /usr/share/postfixadmin > > and > > chcon -R -t httpd_sys_content_t /usr/share/postfixadmin > > and they are not the problem. Googling this message doe snot produce > any SELinux advice. > > Any ideas? > > thanks > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos Hi, after 'setenforce 0' check the /var/log/audit/audit.log: # grep /var/log/audit/audit.log | audit2why to see where the problem could be. //Zdenek ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] SELInux conflict with Postfixadmin
postfixadmin setup.php is claiming: *Error: Smarty template compile directory templates_c is not writable.* *Please make it writable.* *If you are using SELinux or AppArmor, you might need to adjust their setup to allow write access.* This goes away with 'setenforce 0', so it is an SELinux issue. I have tried both: restorecon -Rv /usr/share/postfixadmin and chcon -R -t httpd_sys_content_t /usr/share/postfixadmin and they are not the problem. Googling this message doe snot produce any SELinux advice. Any ideas? thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos