On Jun 7, 2006, at 11:19 AM, Lazy wrote:
> Hello,
> I'm using the targeted policy.
> PHP's mail() function fails because of selinux.
>
> audit(1149662369.454:2): avc: denied { setgid } for pid=18085
> comm="sendmail" capability=6
scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=capability
>
> When i turn to permisive mode:
> audit(1149668677.105:12): avc: denied { setuid } for pid=29159
> comm="sendmail" capability=7 scontext=root:system_r:ht
> tpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t
> tclass=capability
> audit(1149668677.157:13): avc: denied { dac_override } for
> pid=29159 comm="sendmail" capability=1 scontext=root:syste
> m_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t
> tclass=capability
> audit(1149668677.209:14): avc: denied { write } for pid=29159
> comm="sendmail" name="input" dev=dm-3 ino=1335707 scont
> ext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_spool_t tclass=dir
> audit(1149668677.209:15): avc: denied { add_name } for pid=29159
> comm="sendmail" name="1FntLB-0007aJ-6i-D" scontext=r
> oot:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t
> tclass=dir
>
> Maybe there should be a context change to some mta specific context
> diuring the execution of /usr/sbin/sendmail.
>
> ls -Z /usr/zbin
> -rwsr-xr-x root root system_u:object_r:sbin_t /usr/
> sbin/exim
> lrwxrwxrwx root root root:object_r:sbin_t
> /usr/sbin/sendmail -> /etc/alternatives/mta
> lrwxrwxrwx root root system_u:object_r:sbin_t
> /usr/sbin/sendmail.exim -> exim
>
> Maybe exim shuld be sendmail_exec_t ?
>
> I can't experiment now. Will try setting it later.
>
> Can anyone give me some guaidance ?
audit2allow is very helpful. It will tell you what policies you need
to add to mitigate a denial. It's in the policycoreutils rpm. There
seems to be no man page for it on CentOS, but
audit2allow </var/log/messages
is probably what you want.
Tony Schreiner