Squirrelmail forward plugin
Nicklas Norling
exinor at exinor.net
Fri Jul 29 09:44:36 UTC 2005
Hi,
I've compiled a local policy for the squirrel plugin mail_fwd found at
http://www.squirrelmail.org/plugin_view.php?id=16.
The minimum required for creating and removing a users .forward file is:
allow httpd_sys_script_t self:capability { setgid setuid };
allow httpd_sys_script_t user_home_dir_t:dir { write add_name remove_name };
allow httpd_sys_script_t user_home_dir_t:file { write create getattr
unlink };
Are these appropriate for inclusion in the next targetted policy or should I
send this info for inclusion in the plugins docs? Seems like an awful
lot of rights
to hand out?
The plugin has 18000 downloads according to their webpage.
/Nicke
Nicklas Norling wrote:
> Hi.
>
> Just noted a user tried to add .forward by using the forwarding module
> in squirrelmail.
>
> Jul 20 00:56:52 spock kernel: audit(1121813812.917:1844): avc:
> denied { setgid } for pid=24466 comm="wfwd" capability=6
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=capability
>
> httpd log:
> /usr/local/sbin/wfwd: Operation not permitted
>
> [root at spock html]# audit2allow -d -l
> allow httpd_sys_script_t self:capability setgid;
>
> The tool used is wfwd.
>
<snip>
More information about the fedora-selinux-list
mailing list