apache + mod_perl + sendmail - FC3 SELinux

Joe Roback robackja at cs.arizona.edu
Fri Apr 29 07:33:02 UTC 2005


FC3 2.6.11-1.14_FC3

SELinux related rpms:
libselinux-1.19.1-8
libselinux-devel-1.19.1-8
selinux-policy-targeted-1.17.30-2.96

perl-5.8.5-9
sendmail-8.13.1-2
httpd-2.0.52-3.1

I am using software from http://software.eprints.org. Web application 
that uses mod_perl. It sends emails for registering users and forgotten 
passwords. Anything an email is fired off syslog shows this:

Apr 28 21:48:23 dlist kernel: audit(1114750103.574:0): avc:  denied  { 
read } for  pid=25276 exe=/usr/sbin/httpd name=sendmail dev=dm-0 
ino=368559 scontext=root:system_r:httpd_t 
tcontext=system_u:object_r:sbin_t tclass=lnk_file

I have also tried sending email with PHP's mail() call and it resulted in:

Apr 28 21:48:23 dlist kernel: audit(1114750103.679:0): avc:  denied  { 
write } for  pid=25276 exe=/usr/sbin/sendmail.sendmail name=clientmqueue 
dev=dm-0 ino=2310265 scontext=root:system_r:system_mail_t 
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.679:0): avc:  denied  { 
add_name } for  pid=25276 exe=/usr/sbin/sendmail.sendmail 
name=dfj3T4mNH8025276 scontext=root:system_r:system_mail_t 
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.679:0): avc:  denied  { 
create } for  pid=25276 exe=/usr/sbin/sendmail.sendmail 
name=dfj3T4mNH8025276 scontext=root:system_r:system_mail_t 
tcontext=root:object_r:var_spool_t tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.680:0): avc:  denied  { 
getattr } for  pid=25276 exe=/usr/sbin/sendmail.sendmail 
path=/var/spool/clientmqueue/dfj3T4mNH8025276 dev=dm-0 ino=2311458 
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t 
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.680:0): avc:  denied  { 
lock } for  pid=25276 exe=/usr/sbin/sendmail.sendmail 
path=/var/spool/clientmqueue/dfj3T4mNH8025276 dev=dm-0 ino=2311458 
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t 
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.680:0): avc:  denied  { 
write } for  pid=25276 exe=/usr/sbin/sendmail.sendmail 
path=/var/spool/clientmqueue/dfj3T4mNH8025276 dev=dm-0 ino=2311458 
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t 
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.687:0): avc:  denied  { 
read } for  pid=25276 exe=/usr/sbin/sendmail.sendmail 
name=dfj3T4mNH8025276 dev=dm-0 ino=2311458 
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t 
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc:  denied  { 
remove_name } for  pid=25276 exe=/usr/sbin/sendmail.sendmail 
name=tfj3T4mNH8025276 dev=dm-0 ino=2311462 
scontext=root:system_r:system_mail_t 
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc:  denied  { 
rename } for  pid=25276 exe=/usr/sbin/sendmail.sendmail 
name=tfj3T4mNH8025276 dev=dm-0 ino=2311462 
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t 
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc:  denied  { 
unlink } for  pid=25276 exe=/usr/sbin/sendmail.sendmail 
name=qfj3T4mNH8025276 dev=dm-0 ino=2311461 
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t 
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc:  denied  { 
read } for  pid=25276 exe=/usr/sbin/sendmail.sendmail name=clientmqueue 
dev=dm-0 ino=2310265 scontext=root:system_r:system_mail_t 
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.901:0): avc:  denied  { 
sigchld } for  pid=1 exe=/sbin/init scontext=root:system_r:system_mail_t 
tcontext=user_u:system_r:unconfined_t tclass=process

This is really troubling, since sending email through a CGI application 
is probably the most basic web application there is. Any help would be 
greatly appreciated. This is my first time dealing with SELinux, so I am 
newbie here. :)

sestatus:
SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           permissive
Mode from config file:  disabled
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
snmpd_disable_trans     inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
use_syslogng            inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive

I am not sure what other information might be helpful, but ask and you 
shall receive. :)



cheers,

Joe Roback
<robackja at cs.arizona.edu>




More information about the fedora-selinux-list mailing list