[CentOS] SELinux - way of the future or good idea but !!!
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 5 18:57:00 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/05/2011 11:50 AM, Paul Johnson wrote:
> I quit using Fedora a couple of years ago, largely because I felt as
> though I was being used as an SELinux guinea pig. I spent days and
> says trying to work around selinux problems, until I eventually just
> turned it off.
>
> I'm not a professional sysadmin, but I know many of them who think
> SELinux is still just not workable enough for actual production
> systems.
>
> I just installed the release version of RedHat 6 and wanted to use
> mediawiki and a couple of other CGI php programs. All of those
> programs that require email capability via sendmail/postfix do not
> work with SELINUX turned on. Some programs are nice enough to pop up
> a "sendmail failed" message, but not all.
>
> type=USER_CMD msg=audit(1293752457.837:246): user pid=4383 uid=0
> auid=500 ses=9 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='cwd="/var/www/mediawiki116"
> cmd=2F62696E2F7669204C6F63616C53657474696E67732E706870 terminal=pts/4
> res=success'
> type=AVC msg=audit(1293752692.348:247): avc: denied { search } for
> pid=4583 comm="sendmail" name="postfix" dev=sda2 ino=150564
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
> type=SYSCALL msg=audit(1293752692.348:247): arch=c000003e syscall=80
> success=no exit=-13 a0=7f44c0011cc0 a1=7f44c0013a00 a2=7f44c001827d
> a3=7fff104b7710 items=0 ppid=4410 pid=4583 auid=500 uid=48 gid=48
> euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=9
> comm="sendmail" exe="/usr/sbin/sendmail.postfix"
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> It is a known bugzilla, there's supposed to be some fix in the way,
> but it has turned into such a big hassle for us here that we've turned
> selinux down to PERMISSIVE mode, just so things will work.
>
> SELINUX generates such a massive amount of output in /var/log/audit
> that I would never be able to notice what fails and what doesnt, some
> programs silently die with SELINUX rejects them. For example, I
> created a bunch of accounts in mediawiki that require email
> confirmation. Use of sendmail was rejected, (silently), and so the
> users's can't log in. Grrr.
>
>
>
Turn on the httpd_can_sendmail boolean. We do not want all apache
servers to be able to send mail by default.
# setsebool -P httpd_can_sendmail 1
man apache_selinux
...
SELinu policy for httpd can be configured to turn on sending
email.
This is a security feature, since it would prevent a
vulnerabiltiy in
http from causing a spam attack. I certain situations, you may
want
http modules to send mail. You can turn on the httpd_send_mail
bool?
ean.
setsebool -P httpd_can_sendmail 1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0kvvwACgkQrlYvE4MpobMNgACeNILc8S4gRo70rwyWLgTc7+D7
b8YAnRsl4HZhAcKMAqly/BsemG6EipP/
=WvAc
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list