FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-26-2010, 11:16 PM
Mathieu Baudier
 
Default Bugzilla 3.6.2 + sendmail + SELinux

Hello,

I have deployed Bugzilla 3.6.2 on CentOS 5 (with rpmforge perl-*
packages) and I have a problem with SELinux preventing mail being sent
via sendmail.
(see SELinux reports below, especially the second one)

When SELinux is in permissive mode, mail sending from Bugzilla is
working properly.

Has anybody got recent Bugzilla to work with SELinux on CentOS?

Thanks in advance!

Mathieu


--------------------------------------------------------------------------------


Summary:

SELinux is preventing the sendmail from using potentially mislabeled files
./spool (var_spool_t).

Detailed Description:

SELinux has denied the sendmail access to potentially mislabeled files ./spool.
This means that SELinux will not allow httpd to use these files. Many third
party apps install html files in directories that SELinux policy cannot predict.
These directories have to be labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of ./spool so that the httpd daemon can
access it, you need to execute it using chcon -t httpd_sys_content_t './spool'.
You can look at the httpd_selinux man page for additional information.

Additional Information:

Source Context system_u:system_r:httpd_bugzilla_script_t
Target Context system_ubject_r:var_spool_t
Target Objects ./spool [ dir ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host <Unknown>
Source RPM Packages sendmail-8.13.8-8.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5_5.1
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name httpd_bad_labels
Host Name www
Platform Linux www 2.6.18-194.11.4.el5 #1 SMP Tue Sep 21
05:04:09 EDT 2010 x86_64 x86_64
Alert Count 1
First Seen Mon Sep 27 02:07:43 2010
Last Seen Mon Sep 27 02:07:43 2010
Local ID 24372577-2d4c-4bbe-be6b-ea9100b7c3ed
Line Numbers 11701, 11702

Raw Audit Messages

type=AVC msg=audit(1285546063.60:15): avc: denied { search } for
pid=3420 comm="sendmail" name="spool" dev=dm-2 ino=158722
scontext=system_u:system_r:httpd_bugzilla_script_t :s0
tcontext=system_ubject_r:var_spool_t:s0 tclass=dir

type=SYSCALL msg=audit(1285546063.60:15): arch=c000003e syscall=80
success=no exit=-13 a0=7fffeddf6060 a1=17 a2=fff a3=0 items=0
ppid=3418 pid=3420 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:httpd_bugzilla_script_t:s0 key=(null)



--------------------------------------------------------------------------------


Summary:

SELinux is preventing sendmail (httpd_bugzilla_script_t) "create" to <Unknown>
(httpd_bugzilla_script_t).

Detailed Description:

SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:httpd_bugzilla_script_t
Target Context system_u:system_r:httpd_bugzilla_script_t
Target Objects None [ unix_dgram_socket ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host <Unknown>
Source RPM Packages sendmail-8.13.8-8.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5_5.1
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name www
Platform Linux www 2.6.18-194.11.4.el5 #1 SMP Tue Sep 21
05:04:09 EDT 2010 x86_64 x86_64
Alert Count 1
First Seen Mon Sep 27 02:07:43 2010
Last Seen Mon Sep 27 02:07:43 2010
Local ID f7aa29e4-40d9-4184-904e-4dfb93c57ea7
Line Numbers 11703, 11704

Raw Audit Messages

type=AVC msg=audit(1285546063.61:16): avc: denied { create } for
pid=3420 comm="sendmail"
scontext=system_u:system_r:httpd_bugzilla_script_t :s0
tcontext=system_u:system_r:httpd_bugzilla_script_t :s0
tclass=unix_dgram_socket

type=SYSCALL msg=audit(1285546063.61:16): arch=c000003e syscall=41
success=no exit=-13 a0=1 a1=2 a2=0 a3=7373696d72655020 items=0
ppid=3418 pid=3420 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:httpd_bugzilla_script_t:s0 key=(null)
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-27-2010, 02:58 AM
"Joseph L. Casale"
 
Default Bugzilla 3.6.2 + sendmail + SELinux

/snip
>Allowing Access:
/snip

Out of curiosity, when you read the log, did you attempt the suggestion w/o success?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-27-2010, 09:51 AM
Mathieu Baudier
 
Default Bugzilla 3.6.2 + sendmail + SELinux

> Out of curiosity, when you read the log, did you attempt the suggestion w/o success?

Not really (yet):
- for the first one (./spool), I have not clearly identified (yet)
where the file is being created
- for the second they talk about creating a policy module, and even
though I may have to go this way, I thought I would first check with
the list if there was something simpler that could be done (googling
around did not help much).

I have the foollowing booleans set:
httpd_can_sendmail --> on

I'm trying to progress thoughtfully because I know that it is way to
easy to start messing around with SELinux contexts, etc., and I
typically want sendmail to be more secure than less.

I'm now looking at audit2allow:
http://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01



> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-27-2010, 11:31 AM
Mathieu Baudier
 
Default Bugzilla 3.6.2 + sendmail + SELinux

> I'm now looking at audit2allow:
> http://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01

To follow up on this, audit2allow provided a satisfactory solution
(comments on that kind of approach still welcome!):

grep sendmail /var/log/audit/audit.log | audit2allow -m sendmaillocal
> sendmaillocal.te
# review and backup sendmaillocal.te
checkmodule -M -m -o sendmaillocal.mod sendmaillocal.te
semodule_package -o sendmaillocal.pp -m sendmaillocal.mod
semodule -i sendmaillocal.pp

Once again the CentOS Wiki proved to be an invaluable source of information.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org