-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/05/2011 11:50 AM, Paul Johnson wrote:
I quit using Fedora a couple of years ago, largely because I felt as though I was being used as an SELinux guinea pig. I spent days and says trying to work around selinux problems, until I eventually just turned it off.
I'm not a professional sysadmin, but I know many of them who think SELinux is still just not workable enough for actual production systems.
I just installed the release version of RedHat 6 and wanted to use mediawiki and a couple of other CGI php programs. All of those programs that require email capability via sendmail/postfix do not work with SELINUX turned on. Some programs are nice enough to pop up a "sendmail failed" message, but not all.
type=USER_CMD msg=audit(1293752457.837:246): user pid=4383 uid=0 auid=500 ses=9 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/var/www/mediawiki116" cmd=2F62696E2F7669204C6F63616C53657474696E67732E706870 terminal=pts/4 res=success' type=AVC msg=audit(1293752692.348:247): avc: denied { search } for pid=4583 comm="sendmail" name="postfix" dev=sda2 ino=150564 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir type=SYSCALL msg=audit(1293752692.348:247): arch=c000003e syscall=80 success=no exit=-13 a0=7f44c0011cc0 a1=7f44c0013a00 a2=7f44c001827d a3=7fff104b7710 items=0 ppid=4410 pid=4583 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=9 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
It is a known bugzilla, there's supposed to be some fix in the way, but it has turned into such a big hassle for us here that we've turned selinux down to PERMISSIVE mode, just so things will work.
SELINUX generates such a massive amount of output in /var/log/audit that I would never be able to notice what fails and what doesnt, some programs silently die with SELINUX rejects them. For example, I created a bunch of accounts in mediawiki that require email confirmation. Use of sendmail was rejected, (silently), and so the users's can't log in. Grrr.
Turn on the httpd_can_sendmail boolean. We do not want all apache servers to be able to send mail by default.
# setsebool -P httpd_can_sendmail 1
man apache_selinux ... SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail bool? ean.
setsebool -P httpd_can_sendmail 1