Squirrelmail forward plugin

Nicklas Norling exinor at exinor.net
Fri Jul 29 09:44:36 UTC 2005


I've compiled a local policy for the squirrel plugin mail_fwd found at

The minimum required for creating and removing a users .forward file is:

allow httpd_sys_script_t self:capability { setgid setuid };
allow httpd_sys_script_t user_home_dir_t:dir { write add_name remove_name };
allow httpd_sys_script_t user_home_dir_t:file { write create getattr 
unlink };

Are these appropriate for inclusion in the next targetted policy or should I
send this info for inclusion in the plugins docs? Seems like an awful 
lot of rights
to hand out?

The plugin has 18000 downloads according to their webpage.

Nicklas Norling wrote:

> Hi.
> Just noted a user tried to add .forward by using the forwarding module 
> in squirrelmail.
> Jul 20 00:56:52 spock kernel: audit(1121813812.917:1844): avc:  
> denied  { setgid } for  pid=24466 comm="wfwd" capability=6 
> scontext=root:system_r:httpd_sys_script_t 
> tcontext=root:system_r:httpd_sys_script_t tclass=capability
> httpd log:
> /usr/local/sbin/wfwd: Operation not permitted
> [root at spock html]# audit2allow -d -l
> allow httpd_sys_script_t self:capability setgid;
> The tool used is wfwd.

More information about the fedora-selinux-list mailing list