LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   access denied on squirrelmail / dovecot / SE Linux policy (https://www.linuxquestions.org/questions/linux-security-4/access-denied-on-squirrelmail-dovecot-se-linux-policy-340442/)

rioguia 07-05-2005 11:16 PM
access denied on squirrelmail / dovecot / SE Linux policy
 
I am attempting to troubleshoot a clean install of Fedora Core 3 to be used as a mailserver. I am denied access via squirrelmail and the error message from /var/log/messages is:

Quote:
Jul 6 00:05:26 ns1 kernel: audit(1120622726.472:0): avc: denied { connect } for pid=3690 exe=/usr/sbin/httpd scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket
I have the latest RPM's installed for Fedora Core 3 for Dovecot Imap, Postfix, and Squirrelmail. I have /etc/selinux/config make SELINUX=enabled and the latest targeted policy rpm from Dan Walsh at Redhat (selinux-policy-targeted-1.17.30-3.16.noarch.rpm). This is supposed to fix the policy to allow squirrelmail to access dovecot imap.

My search of the forum confirms that this is a policy issue but the thread addressing this issue "solved" the problem by disabling SE Linux. See
http://www.linuxquestions.org/questi...=dovecot+audit

Two Questions:
1. Can someone help me correct the policy for this error message
2. Can someone point me to a text or tutorial that will help me understand SE Linux and some of the basic commands associated with setting the policy, etc.

Krugger 07-06-2005 04:58 AM
You should get setools to configure you system.

And I believe you need to put create_socket_perms or rw_socket_perms somewhere in your policy so that you have access to sockets.

Or something like

allow httpd_t netmsg_type:tcp_socket { connectto }

But you may want to use the tools ;)

You probably also can solve the problem by useing the roles.

rioguia 07-06-2005 11:25 PM
Working solution needs explanation and improvement
 
I think i have a working solution. Can someone explain it and provide a better / safer way to do this? Or Show me a way to reload the policy, etc without rebooting?

I couldn't seem to make use of setools. Is there a command path I am missing?

Regardless, I did find a solution that works but I can't recommend this since I really don't understand what this configuration changes does.

I need to provide httpd access to the socket. Anybody have any ideas or a good manual that talks about setting permissions for sockets? I found a solution using a similar problem at this post:
http://forums.fedoraforum.org/forum/...ghlight=socket

This apparently is a known bug.
https://bugzilla.redhat.com/bugzilla....cgi?id=158181


The solution is:

Step 1.
vi /etc/selinux/targeted/booleans

Step 2.
insert:
httpd_can_network_connect=1

Step 3.
save and reboot.

Another possible solution is suggested here:
http://www.fedoraforum.org/forum/sho...2&postcount=12


All times are GMT -5. The time now is 07:22 PM.