Hi,
I've compiled a local policy for the squirrel plugin mail_fwd found at
http://www.squirrelmail.org/plugin_view.php?id=16.
The minimum required for creating and removing a users .forward file is:
allow httpd_sys_script_t self:capability { setgid setuid };
allow httpd_sys_script_t user_home_dir_t:dir { write add_name remove_name };
allow httpd_sys_script_t user_home_dir_t:file { write create getattr
unlink };
Are these appropriate for inclusion in the next targetted policy or should I
send this info for inclusion in the plugins docs? Seems like an awful
lot of rights
to hand out?
The plugin has 18000 downloads according to their webpage.
/Nicke
Nicklas Norling wrote:
Hi.
Just noted a user tried to add .forward by using the forwarding module
in squirrelmail.
Jul 20 00:56:52 spock kernel: audit(1121813812.917:1844): avc:
denied { setgid } for pid=24466 comm="wfwd" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
httpd log:
/usr/local/sbin/wfwd: Operation not permitted
[root@spock html]# audit2allow -d -l
allow httpd_sys_script_t self:capability setgid;
The tool used is wfwd.
<snip>
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
