LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 07-05-2005, 11:16 PM   #1
rioguia
Member
 
Registered: Jun 2002
Posts: 411

Rep: Reputation: 30
access denied on squirrelmail / dovecot / SE Linux policy


I am attempting to troubleshoot a clean install of Fedora Core 3 to be used as a mailserver. I am denied access via squirrelmail and the error message from /var/log/messages is:

Quote:
Jul 6 00:05:26 ns1 kernel: audit(1120622726.472:0): avc: denied { connect } for pid=3690 exe=/usr/sbin/httpd scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket
I have the latest RPM's installed for Fedora Core 3 for Dovecot Imap, Postfix, and Squirrelmail. I have /etc/selinux/config make SELINUX=enabled and the latest targeted policy rpm from Dan Walsh at Redhat (selinux-policy-targeted-1.17.30-3.16.noarch.rpm). This is supposed to fix the policy to allow squirrelmail to access dovecot imap.

My search of the forum confirms that this is a policy issue but the thread addressing this issue "solved" the problem by disabling SE Linux. See
http://www.linuxquestions.org/questi...=dovecot+audit

Two Questions:
1. Can someone help me correct the policy for this error message
2. Can someone point me to a text or tutorial that will help me understand SE Linux and some of the basic commands associated with setting the policy, etc.
 
Old 07-06-2005, 04:58 AM   #2
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
You should get setools to configure you system.

And I believe you need to put create_socket_perms or rw_socket_perms somewhere in your policy so that you have access to sockets.

Or something like

allow httpd_t netmsg_type:tcp_socket { connectto }

But you may want to use the tools

You probably also can solve the problem by useing the roles.
 
Old 07-06-2005, 11:25 PM   #3
rioguia
Member
 
Registered: Jun 2002
Posts: 411

Original Poster
Rep: Reputation: 30
Working solution needs explanation and improvement

I think i have a working solution. Can someone explain it and provide a better / safer way to do this? Or Show me a way to reload the policy, etc without rebooting?

I couldn't seem to make use of setools. Is there a command path I am missing?

Regardless, I did find a solution that works but I can't recommend this since I really don't understand what this configuration changes does.

I need to provide httpd access to the socket. Anybody have any ideas or a good manual that talks about setting permissions for sockets? I found a solution using a similar problem at this post:
http://forums.fedoraforum.org/forum/...ghlight=socket

This apparently is a known bug.
https://bugzilla.redhat.com/bugzilla....cgi?id=158181


The solution is:

Step 1.
vi /etc/selinux/targeted/booleans

Step 2.
insert:
httpd_can_network_connect=1

Step 3.
save and reboot.

Another possible solution is suggested here:
http://www.fedoraforum.org/forum/sho...2&postcount=12

Last edited by rioguia; 07-27-2005 at 09:57 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help with Squirrelmail with Dovecot & Sendmail cojo Linux - Software 17 05-18-2006 06:15 AM
Can't access my linux share through samba. I get permission denied. mlsbraves Linux - Software 1 08-16-2005 07:59 PM
Postfix, Dovecot, SquirrelMail Troubles?! simonsez711 Linux - Software 14 07-22-2005 02:32 PM
SuSe Linux and Samba Problem - Access is Denied yong_sa Linux - Networking 6 07-09-2005 02:29 PM
WinXP to Linux - Access Denied vacman Linux - Networking 6 07-16-2004 05:06 AM


All times are GMT -5. The time now is 11:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration