[CentOS] SELinux - way of the future or good idea but !!!

Fri Jan 7 11:21:04 UTC 2011
David Sommerseth <dazo at users.sourceforge.net>

On 06/01/11 04:03, Paul Johnson wrote:
> On Wed, Jan 5, 2011 at 12:57 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> Hash: SHA1
>> On 01/05/2011 11:50 AM, Paul Johnson wrote:
>> Turn on the httpd_can_sendmail boolean.  We do not want all apache
>> servers to be able to send mail by default.
>> # setsebool -P httpd_can_sendmail 1
>> man httpd_selinux
>> ...
> Dear Mr Walsh:
> Thanks very much for the information.  I did as you said, turned
> SELinux back on, and now mediawiki can send email, like it is supposed
> to!
> I would not have figured it out if you had not posted your advice.
> I hope this thread finds it way to google so other people will see it
> is a solved problem!

Whenever SELinux seems to try to bite me, I first list out all boolean
settings, using grep.  In your case I would do something like this:

[root at host: ~]# semanage boolean -l | grep mail
allow_postfix_local_write_mail_spool -> off   Allow postfix_local doma..
httpd_can_sendmail             -> off   Allow http daemon to send mail..
[root at host: ~]# getsebool -a | grep mail
allow_postfix_local_write_mail_spool --> off
httpd_can_sendmail --> off
[root at host: ~]#

semanage boolean and getsebool gives basically the same information,
except semanage give a little helpful description in addition.

If that's not helping, audit2why or audit2allow usually helps me to
understand a little bit more what is going on.  And from there I usually
figure out if I need to enable more booleans or if I have a specific
setup of my own which need a hand crafted SELinux module.

kind regards,

David Sommerseth