Re: httpd can't send mails
by shintaro_fujiwara
> I tryed to send mails using a php scripts that calls mail() but when
I
> do it I get this avc:
> audit(1183392777.651:14): avc: denied { read } for pid=25048
> comm="sendmail" name="[79366]" dev=eventpollfs ino=79366
> scontext=user_u:system_r:system_mail_t:s0
> tcontext=user_u:system_r:httpd_t:s0 tclass=file
> the boolean "httpd_can_sendmail" is enabled (true).
> I restarted the httpd and sendmail service after doing so... but
still
> no success.
> Any ideas?
Hi,
Why don't you edit policy and update them ?
Maybe you can do it edditing a few files, and
typing several commands.
If you using postfix, here's what I did.
I made interface for postfix.
########################################
## <summary>
## for xoops sending mail from postfix.
## </summary>
## <param name="domain">
## Domain allowed to sending mails.
## </param>
#
interface(`xoops_send_mail_by_postfix',`
gen_require(`
type bin_t;
type smtp_port_t;
type sendmail_exec_t;
')
allow $1 bin_t:dir search;
allow $1 smtp_port_t:tcp_socket { name_connect send_msg
recv_msg };
allow $1 sendmail_exec_t:file { execute execute_no_trans getattr
read };
')
1. I downloaded source of refpolicy.
2. I copied postfix ones and apache ones to /usr/share/selinux/devel.
3. I edited first line of postfix.te so that the version number becoming
larger than the original one.
4. I added above interface to postfix.if.
5. I added xoops_send_mail_by_postfix(httpd_t) to apache.te and also
edited first line like postfix.
6. #make clean
7. #make
8. #semodule -u postfix.pp
9. #semodule -u apache.pp
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
16 years, 10 months
ldd fails for executables requiring execstack/execmem!? ld-linux.so.2 misbehaves?
by Tom London
I'm running the latest Rawhide, selinux-policy-3.0.1-4.fc8 targeted/enforcing.
The 'ldd' command (/usr/bin/ldd) fails for me when I target it at
executables requiring execstack or execmem.
For example, here is what happens when I try 'ldd' against /usr/bin/skype:
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# ldd /usr/bin/skype
not a dynamic executable
[root@localhost ~]# setenforce 0
[root@localhost ~]# ldd /usr/bin/skype
linux-gate.so.1 => (0x00110000)
libasound.so.2 => /lib/libasound.so.2 (0x46f1f000)
librt.so.1 => /lib/librt.so.1 (0x469c3000)
<<<<<<SNIP>>>>>
libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x4625c000)
libcap.so.1 => /lib/libcap.so.1 (0x46b1d000)
libexpat.so.0 => /lib/libexpat.so.0 (0x46348000)
[root@localhost ~]#
Here is a typical AVC generated by the above:
type=AVC msg=audit(1183407589.500:113): avc: denied { execmem } for
pid=11095 comm="ld-linux.so.2"
scontext=system_u:system_r:unconfined_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1183407589.500:113): arch=40000003 syscall=192
success=no exit=-13 a0=8048000 a1=aa8000 a2=7 a3=812 items=0
ppid=11094 pid=11095 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2"
exe="/lib/ld-2.6.so" subj=system_u:system_r:unconfined_t:s0 key=(null)
Interestingly, setting 'allow_execstack' to one via 'setsebool
allow_execstack=1' eliminates the AVC and makes the 'ldd' command
succeed:
[root@localhost ~]# setsebool allow_execstack=1
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# ldd /usr/bin/skype
linux-gate.so.1 => (0x00110000)
libasound.so.2 => /lib/libasound.so.2 (0x46f1f000)
librt.so.1 => /lib/librt.so.1 (0x469c3000)
<<<<<SNIP>>>>
Of course, this happens with other files as well (e.g., vmware, ....).
The problem appears to hit ld-linux.so.2 badly.... Preloading
libraries that require execstack/execmem (and text relocation?)
generate AVCs and fail.
This causes particular problems with the scripts that start vmware.
'setroubleshoot' suggests setting /lib/ld-linux.so.2 to
'unconfined_execmem_exec_t', but that seems just wrong.
Can someone shed some light on what is happening here? Path to enlightenment?
thanks,
tom
--
Tom London
16 years, 10 months
httpd can't send mails
by drago01
I tryed to send mails using a php scripts that calls mail() but when I
do it I get this avc:
audit(1183392777.651:14): avc: denied { read } for pid=25048
comm="sendmail" name="[79366]" dev=eventpollfs ino=79366
scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=file
the boolean "httpd_can_sendmail" is enabled (true).
I restarted the httpd and sendmail service after doing so... but still
no success.
Any ideas?
16 years, 10 months
Proactive SELinux fixes from automatic collection of logs
by Rahul Sundaram
Hi
There are many instances where SELinux policy causes AVC denials while
running programs. Some of these are policy issues, some actual bugs in
the program or security issues and others where the denial is rather
harmless and can be ignored for all practical purposes.
It is sometimes tedious to go and file a bug report methodologically on
all these denials in hope that we uncover and fix real policy issues.
What would be better is for users to run in some opt-in program that
automatically sends either the audit or messages log or both to central
server and the SELinux developers proactively fix policy issues without
the overhead of users filing bug reports.
I would gladly run a program and I would guess that many users would
find this a much better and easier way to report issues. We could even
tie this to a GUI and first boot in the installer. Kind of a smolt
(http://smolt.fedoraproject.org/stats) for SELinux if you will. Comments?
Rahul
16 years, 10 months
