Hello,
I have deployed Bugzilla 3.6.2 on CentOS 5 (with rpmforge perl-* packages) and I have a problem with SELinux preventing mail being sent via sendmail. (see SELinux reports below, especially the second one)
When SELinux is in permissive mode, mail sending from Bugzilla is working properly.
Has anybody got recent Bugzilla to work with SELinux on CentOS?
Thanks in advance!
Mathieu
--------------------------------------------------------------------------------
Summary:
SELinux is preventing the sendmail from using potentially mislabeled files ./spool (var_spool_t).
Detailed Description:
SELinux has denied the sendmail access to potentially mislabeled files ./spool. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
Allowing Access:
If you want to change the file context of ./spool so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t './spool'. You can look at the httpd_selinux man page for additional information.
Additional Information:
Source Context system_u:system_r:httpd_bugzilla_script_t Target Context system_u:object_r:var_spool_t Target Objects ./spool [ dir ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host <Unknown> Source RPM Packages sendmail-8.13.8-8.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name www Platform Linux www 2.6.18-194.11.4.el5 #1 SMP Tue Sep 21 05:04:09 EDT 2010 x86_64 x86_64 Alert Count 1 First Seen Mon Sep 27 02:07:43 2010 Last Seen Mon Sep 27 02:07:43 2010 Local ID 24372577-2d4c-4bbe-be6b-ea9100b7c3ed Line Numbers 11701, 11702
Raw Audit Messages
type=AVC msg=audit(1285546063.60:15): avc: denied { search } for pid=3420 comm="sendmail" name="spool" dev=dm-2 ino=158722 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1285546063.60:15): arch=c000003e syscall=80 success=no exit=-13 a0=7fffeddf6060 a1=17 a2=fff a3=0 items=0 ppid=3418 pid=3420 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_bugzilla_script_t:s0 key=(null)
--------------------------------------------------------------------------------
Summary:
SELinux is preventing sendmail (httpd_bugzilla_script_t) "create" to <Unknown> (httpd_bugzilla_script_t).
Detailed Description:
SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:httpd_bugzilla_script_t Target Context system_u:system_r:httpd_bugzilla_script_t Target Objects None [ unix_dgram_socket ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host <Unknown> Source RPM Packages sendmail-8.13.8-8.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name www Platform Linux www 2.6.18-194.11.4.el5 #1 SMP Tue Sep 21 05:04:09 EDT 2010 x86_64 x86_64 Alert Count 1 First Seen Mon Sep 27 02:07:43 2010 Last Seen Mon Sep 27 02:07:43 2010 Local ID f7aa29e4-40d9-4184-904e-4dfb93c57ea7 Line Numbers 11703, 11704
Raw Audit Messages
type=AVC msg=audit(1285546063.61:16): avc: denied { create } for pid=3420 comm="sendmail" scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:system_r:httpd_bugzilla_script_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1285546063.61:16): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=2 a2=0 a3=7373696d72655020 items=0 ppid=3418 pid=3420 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_bugzilla_script_t:s0 key=(null)
Out of curiosity, when you read the log, did you attempt the suggestion w/o success?
Not really (yet): - for the first one (./spool), I have not clearly identified (yet) where the file is being created - for the second they talk about creating a policy module, and even though I may have to go this way, I thought I would first check with the list if there was something simpler that could be done (googling around did not help much).
I have the foollowing booleans set: httpd_can_sendmail --> on
I'm trying to progress thoughtfully because I know that it is way to easy to start messing around with SELinux contexts, etc., and I typically want sendmail to be more secure than less.
I'm now looking at audit2allow: http://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191...
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I'm now looking at audit2allow: http://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191...
To follow up on this, audit2allow provided a satisfactory solution (comments on that kind of approach still welcome!):
grep sendmail /var/log/audit/audit.log | audit2allow -m sendmaillocal
sendmaillocal.te
# review and backup sendmaillocal.te checkmodule -M -m -o sendmaillocal.mod sendmaillocal.te semodule_package -o sendmaillocal.pp -m sendmaillocal.mod semodule -i sendmaillocal.pp
Once again the CentOS Wiki proved to be an invaluable source of information.
-
Joseph L. Casale -
Mathieu Baudier