Some more (probably) Zarafa-related

Matej Cepl mcepl at redhat.com
Sat Aug 11 10:58:05 UTC 2012 

Hi,

I have found that I have my server (running RHEL 6 with plenty of EPEL 
stuff, most interesting here is probably Zarafa) is still in the 
permissive mode. Before switching to enforcing again I run ausearch -m 
AVC -ts this-week and got the attached list of AVC denials. I am not 
sure what about these, but before I blindly file bugs into bugzilla (or 
blindly switch on various booleans), I thought to ask about advice here.

[root at luther selinux-research]# audit2allow <avc-this-week.txt \
     |grep -v '^#'|grep -v '^\s*$'
allow httpd_t postfix_public_t:dir search;
allow httpd_t postfix_public_t:fifo_file { write getattr open };
allow httpd_t postfix_spool_maildrop_t:dir { write remove_name search 
add_name };
allow httpd_t postfix_spool_maildrop_t:file { rename write getattr 
setattr read create open };
allow httpd_t postfix_spool_t:dir search;
# is httpd_can_sendmail --> off really to blame? Or there is some weird 
# interaction between Zarafa webmail and postfix?

allow httpd_t self:process setrlimit;
# this just happened once, and I don't feel well about switching the 
httpd_setrlimit boolean on without knowing why it is required.

My booleans related to http:

[root at luther selinux-research]# getsebool -a|grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
[root at luther selinux-research]#

Thanks for any advice,

Matěj
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: avc-this-week.txt
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120811/3dc958a3/attachment.txt>

More information about the selinux mailing list