[CentOS] Bugzilla 3.6.2 + sendmail + SELinux

Sun Sep 26 23:16:43 UTC 2010
Mathieu Baudier <mbaudier at argeo.org>

Hello,

I have deployed Bugzilla 3.6.2 on CentOS 5 (with rpmforge perl-*
packages) and I have a problem with SELinux preventing mail being sent
via sendmail.
(see SELinux reports below, especially the second one)

When SELinux is in permissive mode, mail sending from Bugzilla is
working properly.

Has anybody got recent Bugzilla to work with SELinux on CentOS?

Thanks in advance!

Mathieu


--------------------------------------------------------------------------------


Summary:

SELinux is preventing the sendmail from using potentially mislabeled files
./spool (var_spool_t).

Detailed Description:

SELinux has denied the sendmail access to potentially mislabeled files ./spool.
This means that SELinux will not allow httpd to use these files. Many third
party apps install html files in directories that SELinux policy cannot predict.
These directories have to be labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of ./spool so that the httpd daemon can
access it, you need to execute it using chcon -t httpd_sys_content_t './spool'.
You can look at the httpd_selinux man page for additional information.

Additional Information:

Source Context                system_u:system_r:httpd_bugzilla_script_t
Target Context                system_u:object_r:var_spool_t
Target Objects                ./spool [ dir ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           sendmail-8.13.8-8.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-279.el5_5.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     www
Platform                      Linux www 2.6.18-194.11.4.el5 #1 SMP Tue Sep 21
                              05:04:09 EDT 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Mon Sep 27 02:07:43 2010
Last Seen                     Mon Sep 27 02:07:43 2010
Local ID                      24372577-2d4c-4bbe-be6b-ea9100b7c3ed
Line Numbers                  11701, 11702

Raw Audit Messages

type=AVC msg=audit(1285546063.60:15): avc:  denied  { search } for
pid=3420 comm="sendmail" name="spool" dev=dm-2 ino=158722
scontext=system_u:system_r:httpd_bugzilla_script_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

type=SYSCALL msg=audit(1285546063.60:15): arch=c000003e syscall=80
success=no exit=-13 a0=7fffeddf6060 a1=17 a2=fff a3=0 items=0
ppid=3418 pid=3420 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:httpd_bugzilla_script_t:s0 key=(null)



--------------------------------------------------------------------------------


Summary:

SELinux is preventing sendmail (httpd_bugzilla_script_t) "create" to <Unknown>
(httpd_bugzilla_script_t).

Detailed Description:

SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:httpd_bugzilla_script_t
Target Context                system_u:system_r:httpd_bugzilla_script_t
Target Objects                None [ unix_dgram_socket ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           sendmail-8.13.8-8.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-279.el5_5.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     www
Platform                      Linux www 2.6.18-194.11.4.el5 #1 SMP Tue Sep 21
                              05:04:09 EDT 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Mon Sep 27 02:07:43 2010
Last Seen                     Mon Sep 27 02:07:43 2010
Local ID                      f7aa29e4-40d9-4184-904e-4dfb93c57ea7
Line Numbers                  11703, 11704

Raw Audit Messages

type=AVC msg=audit(1285546063.61:16): avc:  denied  { create } for
pid=3420 comm="sendmail"
scontext=system_u:system_r:httpd_bugzilla_script_t:s0
tcontext=system_u:system_r:httpd_bugzilla_script_t:s0
tclass=unix_dgram_socket

type=SYSCALL msg=audit(1285546063.61:16): arch=c000003e syscall=41
success=no exit=-13 a0=1 a1=2 a2=0 a3=7373696d72655020 items=0
ppid=3418 pid=3420 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:httpd_bugzilla_script_t:s0 key=(null)