CentOS - Mar 2005 - Help with selinux not allowing http/php/postfix to send

Does anybody know how to configure selinux to remain active for
targeted daemons and still allow a php script to use the mail()
function to send email via postfix?

Here''s a similar situation that also explains the problem,
http://archives.neohapsis.com/archives/postfix/2005-01/0630.html

Thanks,
Craig

On Tue, 2005-03-08 at 10:51 -0600, Craig Gill wrote:
> Does anybody know how to configure selinux to remain active for
> targeted daemons and still allow a php script to use the mail()
> function to send email via postfix?
Just modify the policies appropriately.

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/

--
Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
http://centos.ivazquez.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.caosity.org/pipermail/centos/attachments/20050308/a91ffb58/attachment.bin

I ran audit2allow against my /var/log/messages which shows what needs
to be added/changed/allowed in selinux, but I''m brand new to selinux
and not sure which file under /etc/selinux to add or change, can you
point me in the right direction?
Here''s the output from the audit2allow program:

allow httpd_sys_script_t devlog_t:sock_file write;
allow httpd_sys_script_t self:process setrlimit;
allow httpd_sys_script_t self:unix_dgram_socket { connect create };
allow httpd_sys_script_t syslogd_t:unix_dgram_socket sendto;
allow httpd_sys_script_t var_spool_t:dir { add_name remove_name search write };
allow httpd_sys_script_t var_spool_t:fifo_file { getattr write };
allow httpd_sys_script_t var_spool_t:file { create getattr rename
setattr write};

Thanks,
Craig


On Tue, 08 Mar 2005 12:05:02 -0500, Ignacio Vazquez-Abrams
<ivazquez@ivazquez.net> wrote:
> On Tue, 2005-03-08 at 10:51 -0600, Craig Gill wrote:
> > Does anybody know how to configure selinux to remain active for
> > targeted daemons and still allow a php script to use the mail()
> > function to send email via postfix?
>
> Just modify the policies appropriately.
>
> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
>
> --
> Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
> http://centos.ivazquez.net/
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@caosity.org
> http://lists.caosity.org/mailman/listinfo/centos
>
>
>
>

Yup... SELinux is all double-dutch to me....  :-/
I need to spend the time reading up on it.

What is everyone''s assessment of it?  Is it a worthwhile addition?


On Tue, 8 Mar 2005 14:31:27 -0600, Craig Gill <cgill27@gmail.com>
wrote:
> I ran audit2allow against my /var/log/messages which shows what needs
> to be added/changed/allowed in selinux, but I''m brand new to
selinux
> and not sure which file under /etc/selinux to add or change, can you
> point me in the right direction?
> Here''s the output from the audit2allow program:
>
> allow httpd_sys_script_t devlog_t:sock_file write;
> allow httpd_sys_script_t self:process setrlimit;
> allow httpd_sys_script_t self:unix_dgram_socket { connect create };
> allow httpd_sys_script_t syslogd_t:unix_dgram_socket sendto;
> allow httpd_sys_script_t var_spool_t:dir { add_name remove_name search
write };
> allow httpd_sys_script_t var_spool_t:fifo_file { getattr write };
> allow httpd_sys_script_t var_spool_t:file { create getattr rename
> setattr write};
>
> Thanks,
> Craig
>
> On Tue, 08 Mar 2005 12:05:02 -0500, Ignacio Vazquez-Abrams
> <ivazquez@ivazquez.net> wrote:
> > On Tue, 2005-03-08 at 10:51 -0600, Craig Gill wrote:
> > > Does anybody know how to configure selinux to remain active for
> > > targeted daemons and still allow a php script to use the mail()
> > > function to send email via postfix?
> >
> > Just modify the policies appropriately.
> >
> >
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
> >
> > --
> > Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
> > http://centos.ivazquez.net/
> >
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS@caosity.org
> > http://lists.caosity.org/mailman/listinfo/centos
> >
> >
> >
> >
> _______________________________________________
> CentOS mailing list
> CentOS@caosity.org
> http://lists.caosity.org/mailman/listinfo/centos
>

On Tue, 2005-03-08 at 14:31 -0600, Craig Gill wrote:
> I ran audit2allow against my /var/log/messages which shows what needs
> to be added/changed/allowed in selinux, but I''m brand new to
selinux
> and not sure which file under /etc/selinux to add or change, can you
> point me in the right direction?
Install the selinux-policy-targeted-sources package, then put the lines
in /etc/selinux/targeted/src/policy/domain/misc/httpd-postfix.te, then
compile the policy as shown in Chapter 7 of the SELinux Guide.

--
Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
http://centos.ivazquez.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.caosity.org/pipermail/centos/attachments/20050308/e0c7920c/attachment.bin

On Wed, 9 Mar 2005 07:37:52 +1100, Matt Bottrell <mbottrell@gmail.com>
wrote:
> Yup... SELinux is all double-dutch to me....  :-/
> I need to spend the time reading up on it.
>
> What is everyone''s assessment of it?  Is it a worthwhile addition?
  I''m curious myself. I''m going to be updating my server at
home to C4
soon.  If I install SE as warn, can I turn it on full later?

With the below info and the info I got from /var/log/messages with
audit2allow, and also reading up alittle on the rh selinux policy
install I was able to get it to work, cool!

SElinux is definately alittle complicated and does require alittle
reading up on, and you might do so before putting a Centos4 box in
production.

Thanks again!
Craig


On Tue, 08 Mar 2005 15:46:08 -0500, Ignacio Vazquez-Abrams
<ivazquez@ivazquez.net> wrote:
> On Tue, 2005-03-08 at 14:31 -0600, Craig Gill wrote:
> > I ran audit2allow against my /var/log/messages which shows what needs
> > to be added/changed/allowed in selinux, but I''m brand new to
selinux
> > and not sure which file under /etc/selinux to add or change, can you
> > point me in the right direction?
>
> Install the selinux-policy-targeted-sources package, then put the lines
> in /etc/selinux/targeted/src/policy/domain/misc/httpd-postfix.te, then
> compile the policy as shown in Chapter 7 of the SELinux Guide.
>
> --
> Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
> http://centos.ivazquez.net/
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@caosity.org
> http://lists.caosity.org/mailman/listinfo/centos
>
>
>
>

On Wed, 2005-03-09 at 07:37 +1100, Matt Bottrell wrote:
> What is everyone''s assessment of it?  Is it a worthwhile addition?
It''s a great way to secure a system without having to worry about every
little bit of code on the system, but it does require an experienced
policy writer in order to take complete advantage of it.

--
Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
http://centos.ivazquez.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.caosity.org/pipermail/centos/attachments/20050308/6995a5f7/attachment.bin

On Tue, 2005-03-08 at 15:35, Ignacio Vazquez-Abrams
wrote:
> On Wed, 2005-03-09 at 07:37 +1100, Matt Bottrell wrote:
> > What is everyone''s assessment of it?  Is it a worthwhile
addition?
>
> It''s a great way to secure a system without having to worry about
every
> little bit of code on the system, but it does require an experienced
> policy writer in order to take complete advantage of it.
On the other hand you might wonder why Linus hasn''t blessed the changes
into the mainstream kernel...

--
  Les Mikesell
    les@futuresource.com

On Tue, 2005-03-08 at 13:12 -0800, Dave wrote:
> If I install SE as warn, can I turn it on full later?
Most definitely. The problem is if you install it as off. Then it takes
a bit of work to turn it on after.

--
Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
http://centos.ivazquez.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.caosity.org/pipermail/centos/attachments/20050308/8d13e11f/attachment.bin