FW: SELinux, apache/php and qmail's sendmail

Daniel J Walsh dwalsh at redhat.com
Wed May 14 13:32:01 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

D. Hilbig wrote:
| Can someone please help me with this?
|
|
|
| -----Original Message-----
| From: D. Hilbig [mailto:selinux at hilbig.name]
| Sent: Thursday, May 08, 2008 10:14 AM
| To: 'fedora-selinux-list at redhat.com'
| Subject: SELinux, apache/php and qmail's sendmail
|
|
| I use qmail instead of sendmail on RHEL v5 and I could use some advice on
| setting contexts for qmail's sendmail so that apache/php can use it.
|
| Below are the files and directories involved with qmail's sendmail (and
| delivery to queue)
|
| allow apache/php to invoke qmail's sendmail program:
|   /var/qmail/bin/sendmail
|
potentially sendmail_exec_t?
semanage fcontext -a -t bin_t /var/qmail/bin/sendmail
| allow qmail's sendmail to invoke qmail-inject program:
|   /var/qmail/bin/qmail-inject
|
All of the files in this directory should be labeled bin_t
If not you can add this context by executing

semanage fcontext -a -t bin_t '/var/qmail/bin(/.*)?'

restorecon -R -v /var/qmail/bin

| allow qmail-inject to list the contents of the config files directory:
|   /var/qmail/control
|
| allow qmail-inject to read the config files it uses:
|   /var/qmail/control/defaultdomain
|   /var/qmail/control/deaulthost
|   /var/qmail/control/idhost
|   /var/qmail/control/plusdomain
|   /var/qmail/control/me
|
| allow qmail-inject to invoke qmail-queue program:
|   /var/qmail/bin/qmail-queue
|
| allow qmail-queue to read the config file used by the 'taps' patch:
|   /var/qmail/control/taps
|
| allow qmail-queue to put a message into the queue:
| (create, edit, delete and link files)
|   /var/qmail/queue/pid (and subdirectories)
|   /var/qmail/queue/mess (and subdirectories)
|   /var/qmail/queue/intd (and subdirectories)
|   /var/qmail/queue/todo (and subdirectories)
|
semanage fcontext -a -t mail_spool_t '/var/qmail/queue(/.*)?'
restorecon -R -v /var/qmail/queuue
|
|
| For testing I specified the context "httpd_sys_content_t" but I know
that it
| isn't the desired context.  What context(s) should I specify for the
| aforementioned programs, directories and configuration files?
|
| Are there any other things I should do or consider besides setting the
| context(s)?
|
| Your guidance is greatly appreciated.
|
| --
I would try something like the above.
| fedora-selinux-list mailing list
| fedora-selinux-list at redhat.com
| https://www.redhat.com/mailman/listinfo/fedora-selinux-list

After you make the changes above run the
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgq6dAACgkQrlYvE4MpobOKOACeJGjZETm7I8XWt3WYdQvtM1Z9
s+sAniRXcYS4C2iZfCMHXosn005b0TZ3
=GXq9
-----END PGP SIGNATURE-----

More information about the selinux mailing list