SELinux denies qmailadmin access
Kristen
kris_s at atmyhome.org
Tue Jan 4 01:46:13 UTC 2011
I am attempting to use qmailadmin offered by http://www.inter7.com/ This is
implemented by a plugin in squirrelmail. The program qmailadmin allows users
to change their vpopmail passwords through the web interface.
Solutions found when searching for an answer all states "selinux enforcing
will not allow qmailadmin to set uid". "Disable selinux if it is enabled".
This is not a solution I'm willing to accept.
vpopmail directory has this context:
# vpopmail vchkpw user_u:object_r:user_home_t
Summary:
SELinux is preventing the qmailadmin from using potentially mislabeled files
(./1294101113.qw).
Detailed Description:
SELinux has denied qmailadmin access to potentially mislabeled file(s)
(./1294101113.qw). This means that SELinux will not allow qmailadmin to use
these files.
Additional Information:
Source Context user_u:system_r:httpd_sys_script_t
Target Context user_u:object_r:user_home_t
Target Objects ./1294101113.qw [ dir ]
Source qmailadmin
Source Path /var/www/cgi-bin/qmailadmin
Port <Unknown>
Host host.atmyhome
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name home_tmp_bad_labels
Host Name host.atmyhome
Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP
Tue
Nov 9 12:54:40 EST 2010 i686 i686
Alert Count 1
First Seen Mon Jan 3 15:31:53 2011
Last Seen Mon Jan 3 15:31:53 2011
Local ID f2265c4e-f0eb-4578-a760-0cf0678b2216
Line Numbers
Raw Audit Messages
host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied {
add_name } for pid=6717 comm="qmailadmin" name="1294101113.qw"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=dir
host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied {
create } for pid=6717 comm="qmailadmin" name="1294101113.qw"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=host.atmyhome type=SYSCALL msg=audit(1294101113.176:2334): arch=40000003
syscall=5 success=yes exit=5 a0=8070b80 a1=241 a2=1b6 a3=9ebe4b8 items=0
ppid=21470 pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508
egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin"
exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0
key=(null)
Also this one follows:
SELinux is preventing the qmailadmin from using potentially mislabeled files
(/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux has denied qmailadmin access to potentially mislabeled file(s)
(/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw). This means
that SELinux will not allow qmailadmin to use these files.
Allowing Access:
If you want qmailadmin to access this files, you need to relabel them using
restorecon -v
'/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw'.
Additional Information:
Source Context user_u:system_r:httpd_sys_script_t
Target Context user_u:object_r:user_home_t
Target Objects
/home/vpopmail/domains/atmyhome.org/kris_s/Maildir
/1294101113.qw [ file ]
Source qmailadmin
Source Path /var/www/cgi-bin/qmailadmin
Port <Unknown>
Host host.atmyhome
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name home_tmp_bad_labels
Host Name host.atmyhome
Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP
Tue
Nov 9 12:54:40 EST 2010 i686 i686
Alert Count 1
First Seen Mon Jan 3 15:31:53 2011
Last Seen Mon Jan 3 15:31:53 2011
Local ID 3d48d4c0-326f-4322-9354-4b71e74ee2dc
Line Numbers
Raw Audit Messages
host=host.atmyhome type=AVC msg=audit(1294101113.179:2335): avc: denied {
write } for pid=6717 comm="qmailadmin"
path="/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw"
dev=dm-2 ino=2752786 scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=host.atmyhome type=SYSCALL msg=audit(1294101113.179:2335): arch=40000003
syscall=4 success=yes exit=44 a0=5 a1=b7fa2000 a2=2c a3=2c items=0 ppid=2147 0
pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 egid=503
sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin"
exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0
key=(null)
I am thinking that vpopmail should not have the context of user_home_t even
though it is in the /home directory. But what to change the context to I'm not
sure.
Bless you all
Kristen
--
Are you who you say you are?
http://www.atmyhome.org/what-is-gpg-pgp.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110103/95a2953f/attachment.bin
More information about the selinux
mailing list