Re: [CentOS] SELInux conflict with Postfixadmin

2017-02-21 Thread Robert Moskowitz



On 02/21/2017 12:06 PM, Daniel J Walsh wrote:


On 02/21/2017 11:52 AM, Robert Moskowitz wrote:


On 02/21/2017 11:46 AM, Zdenek Sedlak wrote:

On 2017-02-21 17:30, Robert Moskowitz wrote:

postfixadmin setup.php is claiming:

*Error: Smarty template compile directory templates_c is not writable.*
*Please make it writable.*
*If you are using SELinux or AppArmor, you might need to adjust their
setup to allow write access.*


This goes away with 'setenforce 0', so it is an SELinux issue.  I have
tried both:

restorecon -Rv /usr/share/postfixadmin

and

chcon -R -t httpd_sys_content_t /usr/share/postfixadmin

and they are not the problem.  Googling this message doe snot produce
any SELinux advice.

Any ideas?

thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Hi,

after 'setenforce 0' check the /var/log/audit/audit.log:

# grep /var/log/audit/audit.log | audit2why

Don't I need a search string in that grep command?


to see where  the problem could be.

Anyway the last three entries are:

type=AVC msg=audit(1487695678.704:128): avc:  denied  { write } for
pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
permissive=1


If you want to allow apache processes to write to the templates_c
directory you need to label it httpd_sys_content_rw_t.


Thanks!

I undid the httpd_unified with:

setsebool -P httpd_unified 0

Then did

chcon -R -t httpd_sys_content_rw_t /usr/share/postfixadmin/templates_c

And SELinux appears to be happy.


type=SYSCALL msg=audit(1487695678.704:128): arch=4028 syscall=33
per=80 success=yes exit=0 a0=813c3ed0 a1=2 a2=0 a3=0 items=0
ppid=2053 pid=2055 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
key=(null)

type=PROCTITLE msg=audit(1487695678.704:128):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELInux conflict with Postfixadmin

2017-02-21 Thread Daniel J Walsh


On 02/21/2017 11:52 AM, Robert Moskowitz wrote:
>
>
> On 02/21/2017 11:46 AM, Zdenek Sedlak wrote:
>> On 2017-02-21 17:30, Robert Moskowitz wrote:
>>> postfixadmin setup.php is claiming:
>>>
>>> *Error: Smarty template compile directory templates_c is not writable.*
>>> *Please make it writable.*
>>> *If you are using SELinux or AppArmor, you might need to adjust their
>>> setup to allow write access.*
>>>
>>>
>>> This goes away with 'setenforce 0', so it is an SELinux issue.  I have
>>> tried both:
>>>
>>> restorecon -Rv /usr/share/postfixadmin
>>>
>>> and
>>>
>>> chcon -R -t httpd_sys_content_t /usr/share/postfixadmin
>>>
>>> and they are not the problem.  Googling this message doe snot produce
>>> any SELinux advice.
>>>
>>> Any ideas?
>>>
>>> thanks
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> Hi,
>>
>> after 'setenforce 0' check the /var/log/audit/audit.log:
>>
>> # grep /var/log/audit/audit.log | audit2why
>
> Don't I need a search string in that grep command?
>
>> to see where  the problem could be.
>
> Anyway the last three entries are:
>
> type=AVC msg=audit(1487695678.704:128): avc:  denied  { write } for
> pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
> permissive=1
>
If you want to allow apache processes to write to the templates_c
directory you need to label it httpd_sys_content_rw_t.
> type=SYSCALL msg=audit(1487695678.704:128): arch=4028 syscall=33
> per=80 success=yes exit=0 a0=813c3ed0 a1=2 a2=0 a3=0 items=0
> ppid=2053 pid=2055 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
> key=(null)
>
> type=PROCTITLE msg=audit(1487695678.704:128):
> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELInux conflict with Postfixadmin

2017-02-21 Thread Robert Moskowitz



On 02/21/2017 11:46 AM, Zdenek Sedlak wrote:

On 2017-02-21 17:30, Robert Moskowitz wrote:

postfixadmin setup.php is claiming:

*Error: Smarty template compile directory templates_c is not writable.*
*Please make it writable.*
*If you are using SELinux or AppArmor, you might need to adjust their
setup to allow write access.*


This goes away with 'setenforce 0', so it is an SELinux issue.  I have
tried both:

restorecon -Rv /usr/share/postfixadmin

and

chcon -R -t httpd_sys_content_t /usr/share/postfixadmin

and they are not the problem.  Googling this message doe snot produce
any SELinux advice.

Any ideas?

thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Hi,

after 'setenforce 0' check the /var/log/audit/audit.log:

# grep /var/log/audit/audit.log | audit2why


Don't I need a search string in that grep command?


to see where  the problem could be.


Anyway the last three entries are:

type=AVC msg=audit(1487695678.704:128): avc:  denied  { write } for 
pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir 
permissive=1


type=SYSCALL msg=audit(1487695678.704:128): arch=4028 syscall=33 
per=80 success=yes exit=0 a0=813c3ed0 a1=2 a2=0 a3=0 items=0 
ppid=2053 pid=2055 auid=4294967295 uid=48 gid=48 euid=48 suid=48 
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" 
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)


type=PROCTITLE msg=audit(1487695678.704:128): 
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELInux conflict with Postfixadmin

2017-02-21 Thread Robert Moskowitz



On 02/21/2017 11:46 AM, Zdenek Sedlak wrote:

On 2017-02-21 17:30, Robert Moskowitz wrote:

postfixadmin setup.php is claiming:

*Error: Smarty template compile directory templates_c is not writable.*
*Please make it writable.*
*If you are using SELinux or AppArmor, you might need to adjust their
setup to allow write access.*


This goes away with 'setenforce 0', so it is an SELinux issue.  I have
tried both:

restorecon -Rv /usr/share/postfixadmin

and

chcon -R -t httpd_sys_content_t /usr/share/postfixadmin

and they are not the problem.  Googling this message doe snot produce
any SELinux advice.

Any ideas?

thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Hi,

after 'setenforce 0' check the /var/log/audit/audit.log:

# grep /var/log/audit/audit.log | audit2why

to see where  the problem could be.


Playing around a little with this, I added templates_c as the grep 
string and got:


type=AVC msg=audit(1487695678.704:128): avc:  denied  { write } for 
pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir 
permissive=1


Was caused by:
The boolean httpd_unified was set incorrectly.
Description:
Allow httpd to unified

Allow access by executing:
# setsebool -P httpd_unified 1

So I tried that, and the error went away.  Going to have to add 
audit2why in my notes.


thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELInux conflict with Postfixadmin

2017-02-21 Thread Zdenek Sedlak
On 2017-02-21 17:30, Robert Moskowitz wrote:
> postfixadmin setup.php is claiming:
>
> *Error: Smarty template compile directory templates_c is not writable.*
> *Please make it writable.*
> *If you are using SELinux or AppArmor, you might need to adjust their
> setup to allow write access.*
>
>
> This goes away with 'setenforce 0', so it is an SELinux issue.  I have
> tried both:
>
> restorecon -Rv /usr/share/postfixadmin
>
> and
>
> chcon -R -t httpd_sys_content_t /usr/share/postfixadmin
>
> and they are not the problem.  Googling this message doe snot produce
> any SELinux advice.
>
> Any ideas?
>
> thanks
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
Hi,

after 'setenforce 0' check the /var/log/audit/audit.log:

# grep /var/log/audit/audit.log | audit2why

to see where  the problem could be.

//Zdenek
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


[CentOS] SELInux conflict with Postfixadmin

2017-02-21 Thread Robert Moskowitz

postfixadmin setup.php is claiming:

*Error: Smarty template compile directory templates_c is not writable.*
*Please make it writable.*
*If you are using SELinux or AppArmor, you might need to adjust their 
setup to allow write access.*



This goes away with 'setenforce 0', so it is an SELinux issue.  I have 
tried both:


restorecon -Rv /usr/share/postfixadmin

and

chcon -R -t httpd_sys_content_t /usr/share/postfixadmin

and they are not the problem.  Googling this message doe snot produce 
any SELinux advice.


Any ideas?

thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos