apache + mod_perl + sendmail - FC3 SELinux
Joe Roback
robackja at cs.arizona.edu
Fri Apr 29 07:33:02 UTC 2005
FC3 2.6.11-1.14_FC3
SELinux related rpms:
libselinux-1.19.1-8
libselinux-devel-1.19.1-8
selinux-policy-targeted-1.17.30-2.96
perl-5.8.5-9
sendmail-8.13.1-2
httpd-2.0.52-3.1
I am using software from http://software.eprints.org. Web application
that uses mod_perl. It sends emails for registering users and forgotten
passwords. Anything an email is fired off syslog shows this:
Apr 28 21:48:23 dlist kernel: audit(1114750103.574:0): avc: denied {
read } for pid=25276 exe=/usr/sbin/httpd name=sendmail dev=dm-0
ino=368559 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:sbin_t tclass=lnk_file
I have also tried sending email with PHP's mail() call and it resulted in:
Apr 28 21:48:23 dlist kernel: audit(1114750103.679:0): avc: denied {
write } for pid=25276 exe=/usr/sbin/sendmail.sendmail name=clientmqueue
dev=dm-0 ino=2310265 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.679:0): avc: denied {
add_name } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=dfj3T4mNH8025276 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.679:0): avc: denied {
create } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=dfj3T4mNH8025276 scontext=root:system_r:system_mail_t
tcontext=root:object_r:var_spool_t tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.680:0): avc: denied {
getattr } for pid=25276 exe=/usr/sbin/sendmail.sendmail
path=/var/spool/clientmqueue/dfj3T4mNH8025276 dev=dm-0 ino=2311458
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.680:0): avc: denied {
lock } for pid=25276 exe=/usr/sbin/sendmail.sendmail
path=/var/spool/clientmqueue/dfj3T4mNH8025276 dev=dm-0 ino=2311458
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.680:0): avc: denied {
write } for pid=25276 exe=/usr/sbin/sendmail.sendmail
path=/var/spool/clientmqueue/dfj3T4mNH8025276 dev=dm-0 ino=2311458
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.687:0): avc: denied {
read } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=dfj3T4mNH8025276 dev=dm-0 ino=2311458
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc: denied {
remove_name } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=tfj3T4mNH8025276 dev=dm-0 ino=2311462
scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc: denied {
rename } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=tfj3T4mNH8025276 dev=dm-0 ino=2311462
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc: denied {
unlink } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=qfj3T4mNH8025276 dev=dm-0 ino=2311461
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc: denied {
read } for pid=25276 exe=/usr/sbin/sendmail.sendmail name=clientmqueue
dev=dm-0 ino=2310265 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.901:0): avc: denied {
sigchld } for pid=1 exe=/sbin/init scontext=root:system_r:system_mail_t
tcontext=user_u:system_r:unconfined_t tclass=process
This is really troubling, since sending email through a CGI application
is probably the most basic web application there is. Any help would be
greatly appreciated. This is my first time dealing with SELinux, so I am
newbie here. :)
sestatus:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: disabled
Policy version: 18
Policy from config file:targeted
Policy booleans:
allow_ypbind active
dhcpd_disable_trans inactive
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_tty_comm inactive
httpd_unified active
mysqld_disable_trans inactive
named_disable_trans inactive
named_write_master_zonesinactive
nscd_disable_trans inactive
ntpd_disable_trans inactive
portmap_disable_trans inactive
postgresql_disable_transinactive
snmpd_disable_trans inactive
squid_disable_trans inactive
syslogd_disable_trans inactive
use_nfs_home_dirs inactive
use_samba_home_dirs inactive
use_syslogng inactive
winbind_disable_trans inactive
ypbind_disable_trans inactive
I am not sure what other information might be helpful, but ask and you
shall receive. :)
cheers,
Joe Roback
<robackja at cs.arizona.edu>
More information about the fedora-selinux-list
mailing list