-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/04/2011 10:42 AM, Dominick Grift wrote: > On 01/04/2011 02:46 AM, Kristen wrote: >> I am attempting to use qmailadmin offered by http://www.inter7.com/ This is >> implemented by a plugin in squirrelmail. The program qmailadmin allows users >> to change their vpopmail passwords through the web interface. > >> Solutions found when searching for an answer all states "selinux enforcing >> will not allow qmailadmin to set uid". "Disable selinux if it is enabled". > >> This is not a solution I'm willing to accept. > >> vpopmail directory has this context: > >> # vpopmail vchkpw user_u:object_r:user_home_t > >> Summary: > >> SELinux is preventing the qmailadmin from using potentially mislabeled files >> (./1294101113.qw). > >> Detailed Description: > >> SELinux has denied qmailadmin access to potentially mislabeled file(s) >> (./1294101113.qw). This means that SELinux will not allow qmailadmin to use >> these files. > >> Additional Information: > >> Source Context user_u:system_r:httpd_sys_script_t >> Target Context user_u:object_r:user_home_t >> Target Objects ./1294101113.qw [ dir ] >> Source qmailadmin >> Source Path /var/www/cgi-bin/qmailadmin >> Port <Unknown> >> Host host.atmyhome >> Source RPM Packages >> Target RPM Packages >> Policy RPM selinux-policy-2.4.6-279.el5_5.2 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Permissive >> Plugin Name home_tmp_bad_labels >> Host Name host.atmyhome >> Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP >> Tue >> Nov 9 12:54:40 EST 2010 i686 i686 >> Alert Count 1 >> First Seen Mon Jan 3 15:31:53 2011 >> Last Seen Mon Jan 3 15:31:53 2011 >> Local ID f2265c4e-f0eb-4578-a760-0cf0678b2216 >> Line Numbers > >> Raw Audit Messages > >> host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied { >> add_name } for pid=6717 comm="qmailadmin" name="1294101113.qw" >> scontext=user_u:system_r:httpd_sys_script_t:s0 >> tcontext=user_u:object_r:user_home_t:s0 tclass=dir > >> host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied { >> create } for pid=6717 comm="qmailadmin" name="1294101113.qw" >> scontext=user_u:system_r:httpd_sys_script_t:s0 >> tcontext=user_u:object_r:user_home_t:s0 tclass=file > >> host=host.atmyhome type=SYSCALL msg=audit(1294101113.176:2334): arch=40000003 >> syscall=5 success=yes exit=5 a0=8070b80 a1=241 a2=1b6 a3=9ebe4b8 items=0 >> ppid=21470 pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 >> egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin" >> exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0 >> key=(null) > >> Also this one follows: > >> SELinux is preventing the qmailadmin from using potentially mislabeled files >> (/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw). > >> Detailed Description: > >> [SELinux is in permissive mode, the operation would have been denied but was >> permitted due to permissive mode.] > >> SELinux has denied qmailadmin access to potentially mislabeled file(s) >> (/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw). This means >> that SELinux will not allow qmailadmin to use these files. > >> Allowing Access: > >> If you want qmailadmin to access this files, you need to relabel them using >> restorecon -v >> '/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw'. > >> Additional Information: > >> Source Context user_u:system_r:httpd_sys_script_t >> Target Context user_u:object_r:user_home_t >> Target Objects >> /home/vpopmail/domains/atmyhome.org/kris_s/Maildir >> /1294101113.qw [ file ] >> Source qmailadmin >> Source Path /var/www/cgi-bin/qmailadmin >> Port <Unknown> >> Host host.atmyhome >> Source RPM Packages >> Target RPM Packages >> Policy RPM selinux-policy-2.4.6-279.el5_5.2 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Permissive >> Plugin Name home_tmp_bad_labels >> Host Name host.atmyhome >> Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP >> Tue >> Nov 9 12:54:40 EST 2010 i686 i686 >> Alert Count 1 >> First Seen Mon Jan 3 15:31:53 2011 >> Last Seen Mon Jan 3 15:31:53 2011 >> Local ID 3d48d4c0-326f-4322-9354-4b71e74ee2dc >> Line Numbers > >> Raw Audit Messages > >> host=host.atmyhome type=AVC msg=audit(1294101113.179:2335): avc: denied { >> write } for pid=6717 comm="qmailadmin" >> path="/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw" >> dev=dm-2 ino=2752786 scontext=user_u:system_r:httpd_sys_script_t:s0 >> tcontext=user_u:object_r:user_home_t:s0 tclass=file > >> host=host.atmyhome type=SYSCALL msg=audit(1294101113.179:2335): arch=40000003 >> syscall=4 success=yes exit=44 a0=5 a1=b7fa2000 a2=2c a3=2c items=0 ppid=2147 0 >> pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 egid=503 >> sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin" >> exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0 >> key=(null) > >> I am thinking that vpopmail should not have the context of user_home_t even >> though it is in the /home directory. But what to change the context to I'm not >> sure. > > is vpopmail a user on your system? if so can show show me its entry from > /etc/passwd (if this is an actual useraccount then it should be mapped > to /sbin/nologin or /bin/false shells. > > I guess i would look in the qmailadmin configuration to see if i can > configure which location qmailadmin uses for this info and if possible i > would probably change it to something like /var/lib/vpopmail and then > label that dir httpd_sys_content_rw_t. > > if that is not possible i then i would probably look into labelling > /home/vpopmail(/.*)? httpd_sys_content_rw_t. > > httpd_sys_script_t can manage httpd_sys_content_rw_t content. > > Since its actually storing confidential data i would probably use the > apache_content_template() to create a special domain for qmailadmin so > that it is separated from your other cgi webapps. > > Then you can if needed also extend that domain to allow qmailadmin > whatever it needs and is not allowed already. > > In conclusion: > > 1. is vpopmail an actual user on the system? (grep vpopmail /etc/passwd; > grep qmailadmin /etc/passwd;) > > 2. can vpopmail/qmailadmin be configured to store it information in a > specified location? (so that we can move it from /home/vpopmail to > something like /var/lib/vpopmail.) > > 3. did vpopmail/qmailadmin install that /home/vpopmail directory? (rpm > -ql qmailadmin) > > Once you have answered the questions above i can probably be more helpful. Actually this may (or may not) be more complicated then i initially thought. Another possible solution (sub-optimal) is to label /home/vpopmail(/.*) public_content_rw_t and allow (probably amongst others) httpd_sys_script_t access to it (apache_anon_write boolean?) It depends on your requirements. Who/what needs to be able to interact with /home/vpopmail.* (some mta, users? etc)? >> Bless you all > >> Kristen > > > > >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0i+LoACgkQMlxVo39jgT+hLACeKEULRS5TM85Z2GZRGcJkAWZ4 sA0AoIt+8h02TMCm8C+Q87FpPKcMGHZQ =4bKb -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
