Re: selinux-policy-targeted-2.6.4-49.fc7 blocking httpd from sendmail.postfix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2 Nov 2007 13:58:18 -0500
"Robert C. Auch" <rauch@xxxxxxxxxxxxxxxxxxxxx> wrote:

> I just installed a Fedora Core 7 box, ran yum update yesterday, and
> installed php5 and apache 2.2.6.  SELinux is in Enforcing mode, and
> is blocking PHP's mail() function from sending:
> 
> Nov  2 11:05:41 webserver setroubleshoot:      SELinux is preventing
> the sh from using potentially mislabeled files sendmail.postfix
> (sendmail_exec_t).      For complete SELinux messages. run sealert -l
> c9001c48-5d48-4b7c-9fd7-8400544daa8f
> 
> sealert says:
> Source Context                user_u:system_r:httpd_t
> Target Context                system_u:object_r:sendmail_exec_t
> Target Objects                /usr/sbin/sendmail.postfix [ file ]
> Affected RPM Packages         postfix-2.4.3-2.fc7 [target]
> Policy RPM                    selinux-policy-2.6.4-48.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.httpd_bad_labels
> 
> If I follow sealert's suggestion and "chcon -t
> httpd_sys_content_t /usr/sbin/sendmail.postfix", then I get the
> following (expected to me) errors in /var/log/messages on "service
> postfix restart": Nov  2 13:38:25 $(server) setroubleshoot:
> SELinux is preventing postfix-script (postfix_master_t) "getattr"
> to /usr/sbin/sendmail.postfix (httpd_sys_content_t).      For
> complete SELinux messages. run sealert -l
> b8bea1cd-10eb-40bc-8d5b-2031b5bceabe
> 
> According to this post:
> https://www.redhat.com/archives/fedora-selinux-list/2004-December/msg00033.html,
> this problem has been seen before and was fixed in
> selinux-policy-targeted-1.19.8-1.  Has that fix been lost, or am I
> seeing something new?

The context change is definitely the wrong thing to do here; you'll
need to change it back to system_u:object_r:sendmail_exec_t.

Make sure you have the httpd_can_sendmail and 
httpd_builtin_scripting booleans set:
# setsebool -P httpd_can_sendmail 1
# setsebool -P httpd_builtin_scripting 1

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux