> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:squirrelmail- > [EMAIL PROTECTED] On Behalf Of Hongwei Li > Sent: Wednesday, January 26, 2005 9:13 AM > To: squirrelmail-users@lists.sourceforge.net > Subject: [SM-USERS] sm and selinux > > Hi, > > This message is specifically for SM admins about sm and selinux. I have > some problems with sm 1.4.3a in a redhat fc3 linux system where selinux is > enforced. My system: > > os: RedHat FC3 linux, kernel 2.6.9, selinux enforced, iptables enabled > web: httpd-2.0.52-3.1 (apache) > sendmail: 8.13.1-2 > squirrelmail: 1.4.3a-6.FC3 configured with smtp, not sendmail > php: 4.3.10-3.2 > mysql: 3.23.58-13 > > I have found 2 major problems so far when selinux is enforced: > > 1. cannot connect mysql database for any purpose (addressbook, pref, etc.) > -- always "Error initializing addressbook database" etc.; > > 2. cannot attach any file to send -- always denied. > The system log shows: > ... > Jan 25 15:09:25 pippo kernel: audit(1106687365.076:0): avc: denied { > write } for pid=23123 exe=/usr/sbin/httpd name=attach dev=hda3 ino=470516 > scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_spool_t > tclass=dir > ... > > The default sm attachment dir is as in config.php: > > $attachment_dir = '/var/spool/squirrelmail/attach/'; > > and it's mode is: > > # ls -lZ /var/spool/squirrelmail/ > drwx------ apache apache system_u:object_r:var_spool_t attach > > > There might be more problems when selinux is enforced, but I just haven't > found. If I disable selinux while iptables is still enabled and the > required ports are opened, everything works well, no problem at all. > > Although this could be a selinux-admin's job, but I feel that it is more > likely in the sm code that does not treat selinux in a proper way. Since > more and more systems will have selinux enforced, I feel that it is sm > admin's job to make it working in selinux environment. I will post the > same question in selinux group to see any useful help there.
I fail to understand this logic. Would it be SM's fault if you have iptables blocking access to port 80 or 143? No. Would it be SM's fault if you have overly restrictive permissions assigned to necessary directories? No. selinux restrictions fall into this category as well, IMHO. Perhaps additions to the documentation detailing specific changes to your selinux configuration might be in order (care to contribute?) but to suggest that coding changes are necessary because httpd is not able to write to the attachment directory that *you* specified because *you* have not applied the proper permissions is ridiculous. In any event, any changes would need to be made to httpd, not SM as that that the 'program' that selinux sees. Maybe this is helpful to you -- http://www.nsa.gov/selinux/papers/policy2/x879.html I think this quote is pertinent -- "After installing SELinux, the administrator may discover that additional permissions must be allowed in order for the system to function properly. It is advisable to run SELinux in permissive mode initially and to exercise the standard operations of the system in order to generate audit messages for all operations that would have been denied by the example policy. These messages can typically be found in the dmesg output or /var/log/messages with the prefix avc: denied." -- Marc ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl -- squirrelmail-users mailing list Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id)95 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
