Request Tracker 3

Daniel J Walsh dwalsh at redhat.com
Wed Feb 2 15:10:04 UTC 2005 

Kanwar Ranbir Sandhu wrote:

>On Tue, 2005-01-02 at 18:58 -0500, Colin Walters wrote:
>  
>
>>Hmmm.  Surely the SendEmail.pm perl module doesn't scribble on the
>>postfix queue directly; I don't think that's supported.
>>    
>>
>
>I don't know enough about the innards of RT to answer your question.
>However, I've sent an email to the RT list about this.  Hopefully somone
>will chime in;  I'll let you know.
>
>  
>
>>Try:
>>
>>chcon -h -t sendmail_exec_t /usr/sbin/sendmail.postfix
>>    
>>
>
>That got rid of the { setrlimit } denial, and produced a new one:
>
>avc:  denied  { execute } for  pid=5736 exe=/usr/sbin/sendmail.postfix
>name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t
>tcontext=system_u:object_r:sbin_t tclass=file
>
>
>Now, I don't want to confuse the issue, but in RT you define the mail
>command as 'sendmail' or 'sendmailpipe'.  If using sendmail, then the
>arguements are '-oi'.  If it's sendmailpipe, the arguements are '-oi -
>t', and the location of the sendmail binary must be specified
>(/usr/sbin/sendmail).
>
>The above error was generated with the mail command in RT to sendmail.
>When I set the mail command to sendmailpipe, I got this denial:
>
>avc:  denied  { read } for  pid=5977 exe=/usr/sbin/httpd name=sendmail
>dev=dm-3 ino=277369 scontext=root:system_r:httpd_t
>tcontext=user_u:object_r:sbin_t tclass=lnk_file
>
>
>I then changed the location of the sendmail binary parameter in RT
>to /usr/sbin/sendmail.postfix (but kept the mail command as
>sendmailpipe):
>
>avc:  denied  { execute } for  pid=6019 exe=/usr/sbin/sendmail.postfix
>name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t
>tcontext=system_u:object_r:sbin_t tclass=file
>
>That's the same denial as the very first one listed above.
>
>I just wanted to point that out.  In the past, I have configured RT
>with:
>
>mail command: sendmail
>arguements: -oi
>path: /usr/sbin/sendmail
>
>So, that's what I'll be sticking with, unless something else comes up.
>
>It seems the solution is a little closer...
>
>Regards,
>
>Ranbir
>  
>
Rather than going down a rathole, here could
you
setenforce 0
Run both test and send the avc messages.

More information about the fedora-selinux-list mailing list