-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/05/2011 11:50 AM, Paul Johnson wrote: > I quit using Fedora a couple of years ago, largely because I felt as > though I was being used as an SELinux guinea pig. I spent days and > says trying to work around selinux problems, until I eventually just > turned it off. > > I'm not a professional sysadmin, but I know many of them who think > SELinux is still just not workable enough for actual production > systems. > > I just installed the release version of RedHat 6 and wanted to use > mediawiki and a couple of other CGI php programs. All of those > programs that require email capability via sendmail/postfix do not > work with SELINUX turned on. Some programs are nice enough to pop up > a "sendmail failed" message, but not all. > > type=USER_CMD msg=audit(1293752457.837:246): user pid=4383 uid=0 > auid=500 ses=9 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='cwd="/var/www/mediawiki116" > cmd=2F62696E2F7669204C6F63616C53657474696E67732E706870 terminal=pts/4 > res=success' > type=AVC msg=audit(1293752692.348:247): avc: denied { search } for > pid=4583 comm="sendmail" name="postfix" dev=sda2 ino=150564 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir > type=SYSCALL msg=audit(1293752692.348:247): arch=c000003e syscall=80 > success=no exit=-13 a0=7f44c0011cc0 a1=7f44c0013a00 a2=7f44c001827d > a3=7fff104b7710 items=0 ppid=4410 pid=4583 auid=500 uid=48 gid=48 > euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=9 > comm="sendmail" exe="/usr/sbin/sendmail.postfix" > subj=unconfined_u:system_r:httpd_t:s0 key=(null) > > It is a known bugzilla, there's supposed to be some fix in the way, > but it has turned into such a big hassle for us here that we've turned > selinux down to PERMISSIVE mode, just so things will work. > > SELINUX generates such a massive amount of output in /var/log/audit > that I would never be able to notice what fails and what doesnt, some > programs silently die with SELINUX rejects them. For example, I > created a bunch of accounts in mediawiki that require email > confirmation. Use of sendmail was rejected, (silently), and so the > users's can't log in. Grrr. > > > Turn on the httpd_can_sendmail boolean. We do not want all apache servers to be able to send mail by default. # setsebool -P httpd_can_sendmail 1 man apache_selinux ... SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail bool? ean. setsebool -P httpd_can_sendmail 1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0kvvwACgkQrlYvE4MpobMNgACeNILc8S4gRo70rwyWLgTc7+D7 b8YAnRsl4HZhAcKMAqly/BsemG6EipP/ =WvAc -----END PGP SIGNATURE-----