When I said CentOS 5 I meant 5.x, or in this case 5.10.
I only just enabled setroubleshoot logging (run_init service setroubleshoot restart):
Code:
2013-12-11 12:28:46,617 [plugin.INFO] importing /usr/share/setroubleshoot/plugins/__init__ as plugins
2013-12-11 12:28:46,655 [avc.INFO] audit socket (/var/run/audispd_events) connected
2013-12-11 12:28:46,659 [server.INFO] creating system dbus: bus_name=com.redhat.setroubleshootd object_path=/com/redhat/setroubleshootd interface=com.redhat.SEtroubleshootdIface
And actually the last thing I did last night may have resolved this:
Code:
#>chcon -t sendmail_exec_t -r object_r /var/www/html/rmt2-bin/rmt2-mailgate
#>semanage fcontext -a -t sendmail_exec_t "/var/www/html/rmt2-bin/rmt2-mailgate"
However I am not sure this was the best or most secure method for doing so. I am still interested in some guidance.
The original mailgate AVC's were:
Code:
type=AVC msg=audit(1386706253.608:4912): avc: denied { connectto } for pid=31027 comm="rmt2-mailgate" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:postfix_local_t:s0 tcontext=user_u:system_r:mysqld_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1386706253.608:4912): avc: denied { write } for pid=31027 comm="rmt2-mailgate" name="mysql.sock" dev=dm-1 ino=714609 scontext=system_u:system_r:postfix_local_t:s0 tcontext=user_u:object_r:mysqld_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1386692999.697:4842): avc: denied { execute } for pid=30656 comm="local" name="rmt2-mailgate" dev=dm-1 ino=260692 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1386692999.697:4842): avc: denied { execute_no_trans } for pid=30656 comm="local" path="/var/www/html/rmt2-bin/rmt2-mailgate" dev=dm-1 ino=260692 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1386692999.697:4842): avc: denied { read } for pid=30656 comm="local" path="/var/www/html/rmt2-bin/rmt2-mailgate" dev=dm-1 ino=260692 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
Code:
[root@xxxx ~]# getsebool -a | grep mail
allow_postfix_local_write_mail_spool --> on
fetchmail_disable_trans --> off
logging_syslogd_can_sendmail --> off
mail_read_content --> off
mailman_mail_disable_trans --> off
[root@xxxx ~]# getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> on
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on