SELinux denies qmailadmin access
by Kristen R
I am attempting to use qmailadmin offered by http://www.inter7.com/ This is
implemented by a plugin in squirrelmail. The program qmailadmin allows users
to change their vpopmail passwords through the web interface.
Solutions found when searching for an answer all states "selinux enforcing
will not allow qmailadmin to set uid". "Disable selinux if it is enabled".
This is not a solution I'm willing to accept.
vpopmail directory has this context:
# vpopmail vchkpw user_u:object_r:user_home_t
Summary:
SELinux is preventing the qmailadmin from using potentially mislabeled files
(./1294101113.qw).
Detailed Description:
SELinux has denied qmailadmin access to potentially mislabeled file(s)
(./1294101113.qw). This means that SELinux will not allow qmailadmin to use
these files.
Additional Information:
Source Context user_u:system_r:httpd_sys_script_t
Target Context user_u:object_r:user_home_t
Target Objects ./1294101113.qw [ dir ]
Source qmailadmin
Source Path /var/www/cgi-bin/qmailadmin
Port <Unknown>
Host host.atmyhome
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name home_tmp_bad_labels
Host Name host.atmyhome
Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP
Tue
Nov 9 12:54:40 EST 2010 i686 i686
Alert Count 1
First Seen Mon Jan 3 15:31:53 2011
Last Seen Mon Jan 3 15:31:53 2011
Local ID f2265c4e-f0eb-4578-a760-0cf0678b2216
Line Numbers
Raw Audit Messages
host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied {
add_name } for pid=6717 comm="qmailadmin" name="1294101113.qw"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=dir
host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied {
create } for pid=6717 comm="qmailadmin" name="1294101113.qw"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=host.atmyhome type=SYSCALL msg=audit(1294101113.176:2334): arch=40000003
syscall=5 success=yes exit=5 a0=8070b80 a1=241 a2=1b6 a3=9ebe4b8 items=0
ppid=21470 pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508
egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin"
exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0
key=(null)
Also this one follows:
SELinux is preventing the qmailadmin from using potentially mislabeled files
(/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux has denied qmailadmin access to potentially mislabeled file(s)
(/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw). This means
that SELinux will not allow qmailadmin to use these files.
Allowing Access:
If you want qmailadmin to access this files, you need to relabel them using
restorecon -v
'/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw'.
Additional Information:
Source Context user_u:system_r:httpd_sys_script_t
Target Context user_u:object_r:user_home_t
Target Objects
/home/vpopmail/domains/atmyhome.org/kris_s/Maildir
/1294101113.qw [ file ]
Source qmailadmin
Source Path /var/www/cgi-bin/qmailadmin
Port <Unknown>
Host host.atmyhome
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name home_tmp_bad_labels
Host Name host.atmyhome
Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP
Tue
Nov 9 12:54:40 EST 2010 i686 i686
Alert Count 1
First Seen Mon Jan 3 15:31:53 2011
Last Seen Mon Jan 3 15:31:53 2011
Local ID 3d48d4c0-326f-4322-9354-4b71e74ee2dc
Line Numbers
Raw Audit Messages
host=host.atmyhome type=AVC msg=audit(1294101113.179:2335): avc: denied {
write } for pid=6717 comm="qmailadmin"
path="/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw"
dev=dm-2 ino=2752786 scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=host.atmyhome type=SYSCALL msg=audit(1294101113.179:2335): arch=40000003
syscall=4 success=yes exit=44 a0=5 a1=b7fa2000 a2=2c a3=2c items=0 ppid=2147 0
pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 egid=503
sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin"
exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0
key=(null)
I am thinking that vpopmail should not have the context of user_home_t even
though it is in the /home directory. But what to change the context to I'm not
sure.
Bless you all
Kristen
--
Are you who you say you are?
http://www.atmyhome.org/what-is-gpg-pgp.html
13 years, 3 months
razor policy
by Vadym Chepkov
Hi,
It seems for some reason selinux-targeted policy on Fedora doesn't install razor policy and, furthermore, removes it if razor module was installed.
I guess it is done for simplicity, to have just one "spam" domain. But, somehow the proper labeling was forgotten:
selinux-policy-targeted-3.9.7-18.fc14.noarch
# ls -Z /usr/bin/razor-*
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-admin
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-check
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-client
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-report
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-revoke
# ls -dZ /home/vchepkov/.razor
drwxr-xr-x. vchepkov users unconfined_u:object_r:user_home_t:s0 /home/vchepkov/.razor
# ls -dZ /root/.razor
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 /root/.razor
Vadym
P.S. On related note, how do $HOME files get their labeling?
# semanage fcontext -l|grep pyzor
has reference only to
/root/\.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0
but, directory gets proper labeling:
# ls -dZ /home/vchepkov/.pyzor
drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
13 years, 3 months
Denied for com='ps' name='stat' {open} {read} {search}
by Frank Licea
I'm on a fresh install of Fedora 14 and using phusion passenger. I currently
have SELinux in permissive mode.
When I checked my /var/log/audit/audit.log file I noticed three denial
messages and I can't figure out why they are there. Has anyone encountered
anything similar before?
==========================
type=AVC msg=audit(1293393237.358:102): avc: denied { search } for
pid=3451 comm="ps" name="3279" dev=proc ino=9320
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
type=AVC msg=audit(1293393237.358:102): avc: denied { read } for pid=3451
comm="ps" name="stat" dev=proc ino=9816
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
type=AVC msg=audit(1293393237.358:102): avc: denied { open } for pid=3451
comm="ps" name="stat" dev=proc ino=9816
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
==========================
13 years, 3 months