squirrelmail / postfix mail lost policy 1.17.30-2.80

Daniel J Walsh dwalsh at redhat.com
Thu Feb 24 20:15:17 UTC 2005 

Jeremy Ardley wrote:

> Daniel J Walsh wrote:
>
>> Jeremy Ardley wrote:
>>
>>> When I check the messages log I see the following avc entries
>>>
>>> Feb 24 17:14:46 mail kernel: audit(1109236486.039:0): avc:  denied  
>>> { read append } for  pid=7589 exe=/bin/bash 
>>> path=/var/lib/squirrelmail/prefs/jeremy.abook dev=dm-0 ino=6438914 
>>> scontext=user_u:system_r:httpd_sys_script_t t 
>>> context=root:object_r:httpd_var_lib_t tclass=file
>>> Feb 24 17:14:46 mail kernel: audit(1109236486.128:0): avc:  denied  
>>> { create } for  pid=7589 exe=/usr/sbin/sendmail.postfix 
>>> scontext=user_u:system_r:httpd_sys_script_t 
>>> tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket
>>> Feb 24 17:14:46 mail kernel: audit(1109236486.136:0): avc:  denied  
>>> { search } for  pid=7589 exe=/usr/sbin/sendmail.postfix name=spool 
>>> dev=dm-0 ino=4030501 scontext=user_u:system_r:httpd_sys_script_t 
>>> tcontext=system_u:object _r:var_spool_t tclass=dir
>>> Feb 24 17:14:46 mail kernel: audit(1109236486.137:0): avc:  denied  
>>> { create } for  pid=7589 exe=/usr/sbin/sendmail.postfix 
>>> scontext=user_u:system_r:httpd_sys_script_t 
>>> tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket
>>>
>>> I have seen previous correspondence regarding similar faults but 
>>> nothing I have tried has improved things. Is there a definitive fix 
>>> I can apply?
>>
>>
>>
>> restorecon -R -v /usr/lib/squirrelmail /usr/sbin/sendmail.postfix 
>> /var/spool
>>
>> Should help.
>>
> I had to change the command to
>
> restorecon -R -v /var/lib/squirrelmail /usr/sbin/sendmail.postfix 
> /var/spool
>
> However I still get errors - though different ones - and the mail is 
> still dropped
>
> Feb 25 03:30:47 mail kernel: audit(1109273447.864:0): avc:  denied  { 
> create } for  pid=8704 exe=/usr/sbin/sendmail.postfix 
> scontext=user_u:system_r:httpd_sys_script_t 
> tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_dgram_socket
> Feb 25 03:30:47 mail kernel: audit(1109273447.878:0): avc:  denied  { 
> search } for  pid=8704 exe=/usr/sbin/sendmail.postfix name=spool 
> dev=dm-0 ino=4030501 scontext=user_u:system_r:httpd_sys_script_t 
> tcontext=system_u:object_r:var_spool_t tclass=dir
> Feb 25 03:30:47 mail kernel: audit(1109273447.880:0): avc:  denied  { 
> create } for  pid=8704 exe=/usr/sbin/sendmail.postfix 
> scontext=user_u:system_r:httpd_sys_script_t 
> tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_dgram_socket
>
Could you try the selinux-policy-targeted-1.17.30-2.84 on
ftp://people.redhat.com/dwalsh/SELinux/FC3

Your /usr/sbin/sendmail.postfix has the wrong context on it.  It should 
be running as sendmail_exec_t

and
/var/spool/postfix should be                 system_u:object_r:mail_spool_t

Dan

> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list