Hi,
I posted this question a few days ago, but I haven't seen any reply. Maybe, I missed some. Here I post it again and hope can get some help.
My system: os: RedHat FC3 linux, kernel-2.6.10-1.760_FC3, selinux enforced, iptables enabled selinux: selinux-policy-targeted-1.17.30-2.75 iptables: iptables-1.2.11-3.1.FC3 web sever: httpd-2.0.52-3.1 sendmail: sendmail-8.13.1-2 squirrelmail: squirrelmail-1.4.3a-6.FC3 SELINUXTYPE=targeted
The problem is the SquirrelCheck in squirrelmail does not work when selinux is enforced (targeted). If I click "Check Spelling" in squirrelmail's Compose windows, it does not do any spell checking and the system log shows:
Feb 16 09:07:25 pippo kernel: audit(1108566445.074:0): avc: denied { search } for pid=7899 exe=/bin/cat name=spool dev=hda3 ino=470497 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir
If selinux is disabled, then it works well. Does anybody run fc3 with selinux enforced and run squirrelmail? If yes, please try "Check Spelling". Does it work in your system? If yes, how did you make it working? or how to fix this problem?
I appreciate all the help!
Hongwei Li
On Thursday 17 February 2005 02:21, "Hongwei Li" hongwei@wustl.edu wrote:
The problem is the SquirrelCheck in squirrelmail does not work when selinux is enforced (targeted). If I click "Check Spelling" in squirrelmail's Compose windows, it does not do any spell checking and the system log shows:
Feb 16 09:07:25 pippo kernel: audit(1108566445.074:0): avc: denied { search } for pid=7899 exe=/bin/cat name=spool dev=hda3 ino=470497 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir
Currently we don't have policy for Squirrelmail. One option is to enable httpd_disable_trans, this means that SE Linux does not restrict Apache and child processes but will restrict other daemons. Another option is to grant httpd_sys_script_t the access to do the things it wants, this isn't ideal and isn't what we will do for proper squirrelmail policy, but will solve your problems.
selinux@lists.fedoraproject.org