selinux in fc3 and squirrelmail

Daniel J Walsh dwalsh at redhat.com
Wed Jan 26 18:59:29 UTC 2005 

Hongwei Li wrote:

>Hi,
>
>I have some problems with squirrelmail 1.4.3a in a redhat fc3 linux system
>where selinux is enforced.  My system:
>
>os:     RedHat FC3 linux, kernel 2.6.9, selinux enforced, iptables enabled
>web:    httpd-2.0.52-3.1 (apache)
>sendmail:       8.13.1-2
>squirrelmail:   1.4.3a-6.FC3 configured with smtp, not sendmail
>php:    4.3.10-3.2
>mysql:  3.23.58-13
>
>I have found 2 major problems of squirrelmail so far when selinux is
>enforced:
>
>1. cannot connect mysql database for any purpose (addressbook, pref, etc.)
>-- always "Error initializing addressbook database" etc.;
>
>The system log shows:
>
>Jan 23 10:21:18 pippo kernel: audit(1105978878.395:0): avc:  denied  {
>write } for  pid=21651 exe=/usr/sbin/httpd name=mysql.sock dev=hda3
>ino=455088 scontext=root:system_r:httpd_t
>tcontext=user_u:object_r:var_lib_t tclass=sock_file
>
>2. cannot attach any file to send -- always denied.
>
>The system log shows:
>...
>Jan 25 15:09:25 pippo kernel: audit(1106687365.076:0): avc:  denied  {
>write } for  pid=23123 exe=/usr/sbin/httpd name=attach dev=hda3 ino=470516
>scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_spool_t
>tclass=dir
>...
>
>The sm attachment dir is set by default as in config.php:
>
>$attachment_dir           = '/var/spool/squirrelmail/attach/';
>
>and it's mode is:
>
># ls -lZ /var/spool/squirrelmail/
>drwx------  apache   apache   system_u:object_r:var_spool_t    attach
>
>
>There might be more problems in sm when selinux is enforced, but I just
>haven't found.
>
>If I disable selinux while iptables is still enabled and the required
>ports are opened, everything in squirrelmail works well, no problem at
>all.
>
>Is there anybody using sm 1.4.3a in fc3 with selinux enforced?  Do you
>have any problem with mysql database initialization and attach files to
>send?  If you find a way to solve the problem, please share it with me. 
>I'd greatly appreciate all help!
>
>Thanks!
>
>Hongwei Li
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>
Have you updated to the latest policy? 

If not please do.

With the latest policy installed run
restorecon -R -v /var/lib /var/spool
rpm -q -l mysql-server | restorecon -R -v -f -
service mysql restart
service apache restart

More information about the fedora-selinux-list mailing list