Hello, I'm using the targeted policy. PHP's mail() function fails because of selinux.
audit(1149662369.454:2): avc: denied { setgid } for pid=18085 comm="sendmail" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
When i turn to permisive mode: audit(1149668677.105:12): avc: denied { setuid } for pid=29159 comm="sendmail" capability=7 scontext=root:system_r:ht tpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability audit(1149668677.157:13): avc: denied { dac_override } for pid=29159 comm="sendmail" capability=1 scontext=root:syste m_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability audit(1149668677.209:14): avc: denied { write } for pid=29159 comm="sendmail" name="input" dev=dm-3 ino=1335707 scont ext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir audit(1149668677.209:15): avc: denied { add_name } for pid=29159 comm="sendmail" name="1FntLB-0007aJ-6i-D" scontext=r oot:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir
Maybe there should be a context change to some mta specific context diuring the execution of /usr/sbin/sendmail.
ls -Z /usr/zbin -rwsr-xr-x root root system_u:object_r:sbin_t /usr/sbin/exim lrwxrwxrwx root root root:object_r:sbin_t /usr/sbin/sendmail -> /etc/alternatives/mta lrwxrwxrwx root root system_u:object_r:sbin_t /usr/sbin/sendmail.exim -> exim
Maybe exim shuld be sendmail_exec_t ?
I can't experiment now. Will try setting it later.
Can anyone give me some guaidance ?
On Jun 7, 2006, at 11:19 AM, Lazy wrote:
Hello, I'm using the targeted policy. PHP's mail() function fails because of selinux.
audit(1149662369.454:2): avc: denied { setgid } for pid=18085 comm="sendmail" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
When i turn to permisive mode: audit(1149668677.105:12): avc: denied { setuid } for pid=29159 comm="sendmail" capability=7 scontext=root:system_r:ht tpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability audit(1149668677.157:13): avc: denied { dac_override } for pid=29159 comm="sendmail" capability=1 scontext=root:syste m_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability audit(1149668677.209:14): avc: denied { write } for pid=29159 comm="sendmail" name="input" dev=dm-3 ino=1335707 scont ext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir audit(1149668677.209:15): avc: denied { add_name } for pid=29159 comm="sendmail" name="1FntLB-0007aJ-6i-D" scontext=r oot:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir
Maybe there should be a context change to some mta specific context diuring the execution of /usr/sbin/sendmail.
ls -Z /usr/zbin -rwsr-xr-x root root system_u:object_r:sbin_t /usr/ sbin/exim lrwxrwxrwx root root root:object_r:sbin_t /usr/sbin/sendmail -> /etc/alternatives/mta lrwxrwxrwx root root system_u:object_r:sbin_t /usr/sbin/sendmail.exim -> exim
Maybe exim shuld be sendmail_exec_t ?
I can't experiment now. Will try setting it later.
Can anyone give me some guaidance ?
audit2allow is very helpful. It will tell you what policies you need to add to mitigate a denial. It's in the policycoreutils rpm. There seems to be no man page for it on CentOS, but
audit2allow </var/log/messages
is probably what you want.
Tony Schreiner
On Wed, 2006-06-07 at 11:36 -0400, Tony Schreiner wrote:
audit2allow </var/log/messages
If you are tuning the policy
audit2allow -d -l
Is very handy, it uses dmesg output, and only analyses SELinux-related message from after the last policy load. The SELinux Guide also provides useful information:
http://www.centos.org/docs/4/html/rhel-selg-en-4/
-- Daniel
2006/6/7, Daniel de Kok danieldk@pobox.com:
On Wed, 2006-06-07 at 11:36 -0400, Tony Schreiner wrote:
audit2allow </var/log/messages
If you are tuning the policy audit2allow -d -l
Thank you Tony and Daniel, it helped :) I added a quick fix to httpd.t and it works.
But still i think it's not the right thing (Tm). Sendmail works without any adjustments. There is no exim specific policy, only for sendmail and postfix. Maybe this is the case and setting sendmail_exec_t is not sufficient.
I wonder if this issue is valid in RHEL.
Thanks again Guys.
-
Daniel de Kok -
Lazy -
Tony Schreiner