SELinux denies qmailadmin access

Kristen kris_s at atmyhome.org
Tue Jan 4 01:46:13 UTC 2011


I am attempting to use qmailadmin offered by http://www.inter7.com/ This is 
implemented by a plugin in squirrelmail. The program qmailadmin allows users 
to change their vpopmail passwords through the web interface.

Solutions found when searching for an answer all states "selinux enforcing 
will not allow qmailadmin to set uid". "Disable selinux if it is enabled".

	 This is not a solution I'm willing to accept.

vpopmail directory has this context:

# vpopmail vchkpw user_u:object_r:user_home_t

Summary:

SELinux is preventing the qmailadmin from using potentially mislabeled files
(./1294101113.qw).

Detailed Description:

SELinux has denied qmailadmin access to potentially mislabeled file(s)
(./1294101113.qw). This means that SELinux will not allow qmailadmin to use
these files.

Additional Information:

Source Context                user_u:system_r:httpd_sys_script_t
Target Context                user_u:object_r:user_home_t
Target Objects                ./1294101113.qw [ dir ]
Source                        qmailadmin
Source Path                   /var/www/cgi-bin/qmailadmin
Port                          <Unknown>
Host                          host.atmyhome
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     host.atmyhome
Platform                      Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP 
Tue
                              Nov 9 12:54:40 EST 2010 i686 i686
Alert Count                   1
First Seen                    Mon Jan  3 15:31:53 2011
Last Seen                     Mon Jan  3 15:31:53 2011
Local ID                      f2265c4e-f0eb-4578-a760-0cf0678b2216
Line Numbers                  

Raw Audit Messages            

host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc:  denied  { 
add_name } for  pid=6717 comm="qmailadmin" name="1294101113.qw" 
scontext=user_u:system_r:httpd_sys_script_t:s0 
tcontext=user_u:object_r:user_home_t:s0 tclass=dir

host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc:  denied  { 
create } for  pid=6717 comm="qmailadmin" name="1294101113.qw" 
scontext=user_u:system_r:httpd_sys_script_t:s0 
tcontext=user_u:object_r:user_home_t:s0 tclass=file

host=host.atmyhome type=SYSCALL msg=audit(1294101113.176:2334): arch=40000003 
syscall=5 success=yes exit=5 a0=8070b80 a1=241 a2=1b6 a3=9ebe4b8 items=0 
ppid=21470 pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 
egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin" 
exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0 
key=(null)

Also this one follows:

SELinux is preventing the qmailadmin from using potentially mislabeled files
(/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied qmailadmin access to potentially mislabeled file(s)
(/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw). This means
that SELinux will not allow qmailadmin to use these files.

Allowing Access:

If you want qmailadmin to access this files, you need to relabel them using
restorecon -v
'/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw'.

Additional Information:

Source Context                user_u:system_r:httpd_sys_script_t
Target Context                user_u:object_r:user_home_t
Target Objects                
/home/vpopmail/domains/atmyhome.org/kris_s/Maildir
                              /1294101113.qw [ file ]
Source                        qmailadmin
Source Path                   /var/www/cgi-bin/qmailadmin
Port                          <Unknown>
Host                          host.atmyhome
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     host.atmyhome
Platform                      Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP 
Tue
                              Nov 9 12:54:40 EST 2010 i686 i686
Alert Count                   1
First Seen                    Mon Jan  3 15:31:53 2011
Last Seen                     Mon Jan  3 15:31:53 2011
Local ID                      3d48d4c0-326f-4322-9354-4b71e74ee2dc
Line Numbers                  

Raw Audit Messages            

host=host.atmyhome type=AVC msg=audit(1294101113.179:2335): avc:  denied  { 
write } for  pid=6717 comm="qmailadmin" 
path="/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw" 
dev=dm-2 ino=2752786 scontext=user_u:system_r:httpd_sys_script_t:s0 
tcontext=user_u:object_r:user_home_t:s0 tclass=file

host=host.atmyhome type=SYSCALL msg=audit(1294101113.179:2335): arch=40000003 
syscall=4 success=yes exit=44 a0=5 a1=b7fa2000 a2=2c a3=2c items=0 ppid=2147 0 
pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 egid=503 
sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin" 
exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0 
key=(null)

I am thinking that vpopmail should not have the context of user_home_t even 
though it is in the /home directory. But what to change the context to I'm not 
sure.

Bless you all

Kristen

-- 
Are you who you say you are?
http://www.atmyhome.org/what-is-gpg-pgp.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110103/95a2953f/attachment.bin 


More information about the selinux mailing list