Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 453707 - SELinux is preventing sendmail (system_mail_t) "append" to /var/www/html/dhighley/logs/www-error (httpd_sys_content_t).
Summary: SELinux is preventing sendmail (system_mail_t) "append" to /var/www/html/dhig...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-02 05:27 UTC by David Highley
Modified: 2008-07-02 13:15 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-02 13:15:43 UTC


Attachments (Terms of Use)

Description David Highley 2008-07-02 05:27:31 UTC
Description of problem:
Logging errors when sending E-mail via squirrel mail

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-109.fc8

How reproducible:


Steps to Reproduce:
1.https://www.server.com/webmail/
2.compose an E-mail
3.send E-mail
  
Actual results:
After setting the Boolean to Allow http daemon to send mail, sending of E-mail
via squirrel mail works. But selinux is still logging an error:

type=AVC msg=audit(1214973802.839:1909): avc:  denied  { getattr } for  pid=3845
comm="sendmail" path="/etc/mail/submit.cf" dev=dm-0 ino=13946875
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0
tclass=file
type=SYSCALL msg=audit(1214973802.839:1909): arch=c000003e syscall=4 success=no
exit=-13 a0=7f232f445100 a1=7fff371f95a0 a2=7fff371f95a0 a3=0 items=0 ppid=16658
pid=3845 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51
fsgid=51 tty=(none) ses=4294967295 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1214973802.854:1910): avc:  denied  { getattr } for  pid=3845
comm="sendmail" path="/etc/mail/sendmail.cf" dev=dm-0 ino=13946873
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0
tclass=file
type=SYSCALL msg=audit(1214973802.854:1910): arch=c000003e syscall=4 success=no
exit=-13 a0=7fff371f4590 a1=7fff371f55f0 a2=7fff371f55f0 a3=7fff371f45a5 items=0
ppid=16658 pid=3845 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null)
type=MAC_CONFIG_CHANGE msg=audit(1214973846.220:1911): bool=httpd_can_sendmail
val=1 old_val=0 auid=0 ses=303
type=USER_AVC msg=audit(1214973846.227:1912): user pid=1868 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: 
received policyload notice (seqno=5) : exe="?" (sauid=81, hostname=?, addr=?,
terminal=?)'
type=SYSCALL msg=audit(1214973846.220:1911): arch=c000003e syscall=1 success=yes
exit=2 a0=6 a1=7fff96073d80 a2=2 a3=577082 items=0 ppid=3851 pid=3852 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=303
comm="setsebool" exe="/usr/sbin/setsebool" subj=system_u:system_r:setsebool_t:s0
key=(null)
type=AVC msg=audit(1214973858.726:1913): avc:  denied  { append } for  pid=3854
comm="sendmail" path="/var/www/html/dhighley/logs/www-error" dev=dm-0
ino=9984485 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1214973858.726:1913): avc:  denied  { append } for  pid=3854
comm="sendmail" path="/var/www/html/dhighley/logs/www-access" dev=dm-0
ino=9984483 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1214973858.726:1913): avc:  denied  { append } for  pid=3854
comm="sendmail" path="/var/www/html/dhighley/logs/www-access" dev=dm-0
ino=9984483 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1214973858.726:1913): avc:  denied  { append } for  pid=3854
comm="sendmail" path="/var/www/html/dhighley/logs/www-access" dev=dm-0
ino=9984483 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1214973858.726:1913): arch=c000003e syscall=59
success=yes exit=0 a0=198ad50 a1=198afd0 a2=198ae00 a3=8 items=0 ppid=16644
pid=3854 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51
fsgid=51 tty=(none) ses=4294967295 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)


Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-07-02 13:15:43 UTC
This looks like a local customization, so you need to provide locat policy

# grep system_mail /var/log/audit/audit.log | audit2allow -M mymail
# semodule -i mymail.pp



Note You need to log in before you can comment on or make changes to this bug.