[CentOS] SELinux - way of the future or good idea but !!!
David Sommerseth
dazo at users.sourceforge.net
Fri Jan 7 11:21:04 UTC 2011
On 06/01/11 04:03, Paul Johnson wrote:
> On Wed, Jan 5, 2011 at 12:57 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 01/05/2011 11:50 AM, Paul Johnson wrote:
>>>
>>>
>>>
>> Turn on the httpd_can_sendmail boolean. We do not want all apache
>> servers to be able to send mail by default.
>>
>> # setsebool -P httpd_can_sendmail 1
>>
>> man httpd_selinux
>> ...
>
> Dear Mr Walsh:
>
> Thanks very much for the information. I did as you said, turned
> SELinux back on, and now mediawiki can send email, like it is supposed
> to!
>
> I would not have figured it out if you had not posted your advice.
>
> I hope this thread finds it way to google so other people will see it
> is a solved problem!
Whenever SELinux seems to try to bite me, I first list out all boolean
settings, using grep. In your case I would do something like this:
[root at host: ~]# semanage boolean -l | grep mail
allow_postfix_local_write_mail_spool -> off Allow postfix_local doma..
httpd_can_sendmail -> off Allow http daemon to send mail..
[root at host: ~]# getsebool -a | grep mail
allow_postfix_local_write_mail_spool --> off
httpd_can_sendmail --> off
[root at host: ~]#
semanage boolean and getsebool gives basically the same information,
except semanage give a little helpful description in addition.
If that's not helping, audit2why or audit2allow usually helps me to
understand a little bit more what is going on. And from there I usually
figure out if I need to enable more booleans or if I have a specific
setup of my own which need a hand crafted SELinux module.
kind regards,
David Sommerseth
More information about the CentOS
mailing list