[CentOS] SELinux - way of the future or good idea but !!!

Wed Jan 5 18:57:00 UTC 2011
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/05/2011 11:50 AM, Paul Johnson wrote:
> I quit using Fedora a couple of years ago, largely because I felt as
> though I was being used as an SELinux guinea pig. I spent days and
> says trying to work around selinux problems, until I eventually just
> turned it off.
> 
> I'm not a professional sysadmin, but I know many of them who think
> SELinux is still just not workable enough for actual production
> systems.
> 
> I just installed the release version of RedHat 6 and wanted to use
> mediawiki and a couple of other CGI php programs.  All of those
> programs that require email capability via sendmail/postfix do not
> work with SELINUX turned on.  Some programs are nice enough to pop up
> a "sendmail failed" message, but not all.
> 
> type=USER_CMD msg=audit(1293752457.837:246): user pid=4383 uid=0
> auid=500 ses=9 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='cwd="/var/www/mediawiki116"
> cmd=2F62696E2F7669204C6F63616C53657474696E67732E706870 terminal=pts/4
> res=success'
> type=AVC msg=audit(1293752692.348:247): avc:  denied  { search } for
> pid=4583 comm="sendmail" name="postfix" dev=sda2 ino=150564
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
> type=SYSCALL msg=audit(1293752692.348:247): arch=c000003e syscall=80
> success=no exit=-13 a0=7f44c0011cc0 a1=7f44c0013a00 a2=7f44c001827d
> a3=7fff104b7710 items=0 ppid=4410 pid=4583 auid=500 uid=48 gid=48
> euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=9
> comm="sendmail" exe="/usr/sbin/sendmail.postfix"
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
> 
> It is a known bugzilla, there's supposed to be some fix in the way,
> but it has turned into such a big hassle for us here that we've turned
> selinux down to PERMISSIVE mode, just so things will work.
> 
> SELINUX generates such a massive amount of output in /var/log/audit
> that I would never be able to notice what fails and what doesnt, some
> programs silently die with SELINUX rejects them.  For example, I
> created a bunch of accounts in mediawiki that require email
> confirmation. Use of sendmail was rejected, (silently), and so the
> users's can't log in. Grrr.
> 
> 
> 
Turn on the httpd_can_sendmail boolean.  We do not want all apache
servers to be able to send mail by default.

# setsebool -P httpd_can_sendmail 1

man apache_selinux
...
       SELinu policy for httpd can be configured to  turn  on  sending
email.
       This  is  a security feature, since it would prevent a
vulnerabiltiy in
       http from causing a spam attack.  I certain situations,  you  may
 want
       http  modules  to send mail.  You can turn on the httpd_send_mail
bool?
       ean.

       setsebool -P httpd_can_sendmail 1



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0kvvwACgkQrlYvE4MpobMNgACeNILc8S4gRo70rwyWLgTc7+D7
b8YAnRsl4HZhAcKMAqly/BsemG6EipP/
=WvAc
-----END PGP SIGNATURE-----