Squirrelmail SElinux Default preference file not found or not readable

terek · 03-23-2008, 04:35 PM

Hello,

I have been doing searches and researching this problem for two days now and have not been able to come up with any solution other than turning off SELinux with

Code:

setenforce 0

The error I am getting when I try to log onto my squirrelmail page is the following:

Code:

Error opening /var/local/squirrelmail/data/default_pref
Default preference file not found or not readable!
Please contact your system administrator and report this error.

I have made sure the directory is owned by apache and apache has read/write access to the directory

Code:

[root@myServer ~]# cd /var/local
[root@myServer local]# ls -al
total 24
drwxr-xr-x  3 root   root   4096 Mar 22 14:50 .
drwxr-xr-x 27 root   root   4096 Mar 22 15:00 ..
drwxr-xr-x 17 apache apache 4096 Mar 22 15:01 squirrelmail
[root@myServer local]# cd squirrelmail
[root@myServer squirrelmail]# ls -la
total 328
drwxr-xr-x 17 apache apache  4096 Mar 22 15:01 .
drwxr-xr-x  3 root   root    4096 Mar 22 14:50 ..
drwx-wx---  2 root   apache  4096 Mar 22 15:01 attach
drwxr-xr-x  2 apache apache  4096 Mar 22 18:17 data
[root@myServer squirrelmail]# cd data
[root@myServer data]# ls -l
total 24
-rw------- 1 apache apache  52 Mar 22 18:17 someuser.pref
-rw-r--r-- 1 apache apache  41 Mar 22 14:58 default_pref
-rw-r--r-- 1 apache apache 485 Mar 22 14:58 index.php
[root@myServer data]#

someuser was a user I logged on as with setenforce 0, and it created his preference file then. However it cannot access even his preference file when I log on as him when I have SELinux turned back on.

I am running FedoraCore 5.

Is there any way I can give httpd access to that directory for user preferences and default preferences without turning off SELinux.

Thank you for your time
Terek

billymayday · 03-23-2008, 04:46 PM

Don't know if this helps, but here's the setup on CentOS - and this is running SELinux

Quote:

# ll -Z /var/lib/squirrelmail/prefs/default_pref
lrwxrwxrwx root root system_u

bject_r:httpd_squirrelmail_t /var/lib/squirrelmail/prefs/default_pref -> ../../../../etc/squirrelmail/default_pref
# ll -Z /etc/squirrelmail/default_pref
-rw-r----- root apache system_u

bject_r:etc_t /etc/squirrelmail/default_pref

Edit - the smiley faces are colon followed by the letter o

unSpawn · 03-23-2008, 06:23 PM

IMHO the most generic approach would be to look for SELinux warnings in syslog and audit.log, run them through audit2allow and add to your local policy.

billymayday · 03-23-2008, 06:38 PM

As I recall, I had to set httpd_can_network_connect for SM to work with SELinux.

Try setsebool -P httpd_can_network_connect 1

terek · 03-23-2008, 07:25 PM

Quote:

Originally Posted by billymayday

As I recall, I had to set httpd_can_network_connect for SM to work with SELinux.

Try setsebool -P httpd_can_network_connect 1

I have already done this. It was neccesary to allow squirrel mail to log into my imap server. But thank you for the suggestion.

Quote:

IMHO the most generic approach would be to look for SELinux warnings in syslog and audit.log, run them through audit2allow and add to your local policy.

UnSpawn thank you for this. I am looking it up in audit.log now and see the message. I will research how to use audit2allow.

I couldn't find a log called syslog in my /var/log

If I can't figure out how to use audit2allow I will post again.

Thanks,
terek

terek · 03-23-2008, 08:20 PM

Ok I took a small section of my audit.log that contains only the single attempt from accessing my imap server to attempting to read the file and to prevent me from getting any additional suggestions that would create a security hole. Here is the suggestion it came up with.

Code:

allow httpd_t var_t:file read

is there any way I can limit this rule to a specific location such as /var/local/squirrelmail/data
?

Do you know where there are any good howTo's for fedora core 5's semanage? Looks like with fedora that is how I will have to add this rule to SELinux.

unSpawn · 03-23-2008, 08:50 PM

Quote:

Originally Posted by terek

Code:

allow httpd_t var_t:file read

is there any way I can limit this rule to a specific location such as /var/local/squirrelmail/data?

As far as I understand SELinux your HTTP daemon runs in its own httpd module. It has rules to read config files (httpd_config_t), logs (httpd_log_t) and docroot (httpd_sys_content_t). It isn't expected to read files outside the docroot, so that's the boundary. Unfortunately a lot of /var contents are generically tagged "var_t" so indeed that makes it *could* read other files. Fortunately SELinux operates *on top of* the discretionary access rights, so if a directory has access rights for user and group root with octal mode 0750 it couldn't read those contents being user www even if it had SELinux allow it. Similary if a directory has access rights for user root and group www with octal mode 0710 it could only access files if it knows the name already for.

Quote:

Originally Posted by terek

Do you know where there are any good howTo's for fedora core 5's semanage? Looks like with fedora that is how I will have to add this rule to SELinux.

The Fedora site has 'em all. If you have semodule see if "audit2allow -M /root/localpolicy < /var/log/audit/audit.log", review localpolicy.te, then "semodule -i /root/localpolicy.pp" works. Else you'll need to install the policy source files and do something like "cat /var/log/messages | audit2allow > /etc/selinux/$POLICYTYPE/src/policy/domains/misc/localpolicy.te" and "make -C /etc/selinux/$POLICYTYPE/src/policy load".

* BTW FC5 is *deprecated*, no longer maintained. If you want to stay with Fedora you *must* plan installing the current release. I've done upgrading from F6 > F7 > F8 w/o probs, but YMMV.

terek · 03-23-2008, 10:55 PM

Thank you everyone for your help I have gotten it working and am going to take a break.

After much more research I found out I was wrong about having to use semanage.

I found this on fedoraproject.org
[HTML]http://docs.fedoraproject.org/selinux-faq-fc5/#faq-entry-local.te[/HTML]
There is a spot for

Quote:

I have some avc denials that I would like to allow, how do I do this?

That is the section that helped me the most. Note I had to make sure I had the FC5's distribution of checkpolicy.rpm and got that from the install cd I had. When I tried to use the most current checkpolicy.rpm it would make a policy .mod file with version 6 and the semodule I was using would only take 4-5.

So here is my policy file that I made. Note I was selective on what was grabbed by looking at every denied message in audit.log and only pulling out the ones related to httpd and made sure they really were trying to do what I was expecting to do (like it would tell me what file it was trying to read/create/write etc).

Code:

module mailtest 1.0;

require {
        role object_r;
        role system_r;

        class dir { add_name write };
        class file { create getattr read write };

        type httpd_t;
        type var_t;
 };

Here are the instructions I used for anyone else who might have this problem with Fedora Core (note I don't think this method works with most distributions because I found a lot of examples where you would have to recompile SELinux with the new policies. Fedora said they made it so you could create policy modules that you could load manually. Also Fedora in that link I listed earlier said that if you load a policy module when another module already exists with the same name then it overwrites that policy. So be careful not to name it by a policy of the same name.

Code:

[root@myServer policywork]# audit2allow -m mailtest -l -i filteredAuditlog > mailtest.te
[root@myServer policywork]# checkmodule -M -m -o mailtest.mod mailtest.te
checkmodule:  loading policy configuration from mailtest.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 5) to mailtest.mod
[root@myServer policywork]# semodule_package -o mailtest.pp -m mailtest.mod
[root@myServer policywork]# semodule -i mailtest.pp

Thanks again for all your help. I don't think I would have known to look up audit2allow if it weren't for your suggestion. Also thank you for pointing out that SELinux operates on top of the discretionary access rights, it is good to know.
terek

billymayday · 03-24-2008, 12:10 AM

I think you'll find that the policies are fixed in later releases of Fedora - FC5 has been off maintainance for a while now

unSpawn · 03-25-2008, 11:44 AM

Well done getting it to work Terek. And thanks for the elaborate response. This'll sure help others.

wayes · 02-03-2011, 10:24 PM

Make a new folder named "default_pref" under the folder "data" of squirredmail root folder.
That is:

/var/www/htdocs/squirredmail-1.4.17/data/default_pref <-(Newly created)

And change it chmod to 777

This worked for me like magic.
Hope this will work for all.
Cheers!

unSpawn · 02-04-2011, 10:26 AM

Quote:

Originally Posted by wayes

This worked for me like magic.
Hope this will work for all.

You should note that:
- this thread was last updated over 2 years ago and for an at that time already deprecated Fedora version.
- Fedora and it's application policies have evolved so posting any "fix" now might not make much sense.
- you clearly don't understand the "SELinux operating on top of DAC" part as your so-called "fix" effectively negates SELinux. On top of that:
- what you think works for you like "magic", giving every user write and execute rights, in reality is one of the worst things you can do.

So thanks for your contribution and do try again once the amount of research you've done outweighs the amount of damage you do with this "advice".