I am attempting to use qmailadmin offered by http://www.inter7.com/ This is implemented by a plugin in squirrelmail. The program qmailadmin allows users to change their vpopmail passwords through the web interface.
Solutions found when searching for an answer all states "selinux enforcing will not allow qmailadmin to set uid". "Disable selinux if it is enabled".
This is not a solution I'm willing to accept.
vpopmail directory has this context:
# vpopmail vchkpw user_u:object_r:user_home_t
Summary:
SELinux is preventing the qmailadmin from using potentially mislabeled files (./1294101113.qw).
Detailed Description:
SELinux has denied qmailadmin access to potentially mislabeled file(s) (./1294101113.qw). This means that SELinux will not allow qmailadmin to use these files.
Additional Information:
Source Context user_u:system_r:httpd_sys_script_t Target Context user_u:object_r:user_home_t Target Objects ./1294101113.qw [ dir ] Source qmailadmin Source Path /var/www/cgi-bin/qmailadmin Port <Unknown> Host host.atmyhome Source RPM Packages Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name host.atmyhome Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 i686 Alert Count 1 First Seen Mon Jan 3 15:31:53 2011 Last Seen Mon Jan 3 15:31:53 2011 Local ID f2265c4e-f0eb-4578-a760-0cf0678b2216 Line Numbers
Raw Audit Messages
host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied { add_name } for pid=6717 comm="qmailadmin" name="1294101113.qw" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir
host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied { create } for pid=6717 comm="qmailadmin" name="1294101113.qw" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=host.atmyhome type=SYSCALL msg=audit(1294101113.176:2334): arch=40000003 syscall=5 success=yes exit=5 a0=8070b80 a1=241 a2=1b6 a3=9ebe4b8 items=0 ppid=21470 pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin" exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
Also this one follows:
SELinux is preventing the qmailadmin from using potentially mislabeled files (/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux has denied qmailadmin access to potentially mislabeled file(s) (/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw). This means that SELinux will not allow qmailadmin to use these files.
Allowing Access:
If you want qmailadmin to access this files, you need to relabel them using restorecon -v '/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw'.
Additional Information:
Source Context user_u:system_r:httpd_sys_script_t Target Context user_u:object_r:user_home_t Target Objects /home/vpopmail/domains/atmyhome.org/kris_s/Maildir /1294101113.qw [ file ] Source qmailadmin Source Path /var/www/cgi-bin/qmailadmin Port <Unknown> Host host.atmyhome Source RPM Packages Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name host.atmyhome Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 i686 Alert Count 1 First Seen Mon Jan 3 15:31:53 2011 Last Seen Mon Jan 3 15:31:53 2011 Local ID 3d48d4c0-326f-4322-9354-4b71e74ee2dc Line Numbers
Raw Audit Messages
host=host.atmyhome type=AVC msg=audit(1294101113.179:2335): avc: denied { write } for pid=6717 comm="qmailadmin" path="/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw" dev=dm-2 ino=2752786 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=host.atmyhome type=SYSCALL msg=audit(1294101113.179:2335): arch=40000003 syscall=4 success=yes exit=44 a0=5 a1=b7fa2000 a2=2c a3=2c items=0 ppid=2147 0 pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin" exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
I am thinking that vpopmail should not have the context of user_home_t even though it is in the /home directory. But what to change the context to I'm not sure.
Bless you all
Kristen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/04/2011 02:46 AM, Kristen wrote:
I am attempting to use qmailadmin offered by http://www.inter7.com/ This is implemented by a plugin in squirrelmail. The program qmailadmin allows users to change their vpopmail passwords through the web interface.
Solutions found when searching for an answer all states "selinux enforcing will not allow qmailadmin to set uid". "Disable selinux if it is enabled".
This is not a solution I'm willing to accept.
vpopmail directory has this context:
# vpopmail vchkpw user_u:object_r:user_home_t
Summary:
SELinux is preventing the qmailadmin from using potentially mislabeled files (./1294101113.qw).
Detailed Description:
SELinux has denied qmailadmin access to potentially mislabeled file(s) (./1294101113.qw). This means that SELinux will not allow qmailadmin to use these files.
Additional Information:
Source Context user_u:system_r:httpd_sys_script_t Target Context user_u:object_r:user_home_t Target Objects ./1294101113.qw [ dir ] Source qmailadmin Source Path /var/www/cgi-bin/qmailadmin Port <Unknown> Host host.atmyhome Source RPM Packages Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name host.atmyhome Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 i686 Alert Count 1 First Seen Mon Jan 3 15:31:53 2011 Last Seen Mon Jan 3 15:31:53 2011 Local ID f2265c4e-f0eb-4578-a760-0cf0678b2216 Line Numbers
Raw Audit Messages
host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied { add_name } for pid=6717 comm="qmailadmin" name="1294101113.qw" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir
host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied { create } for pid=6717 comm="qmailadmin" name="1294101113.qw" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=host.atmyhome type=SYSCALL msg=audit(1294101113.176:2334): arch=40000003 syscall=5 success=yes exit=5 a0=8070b80 a1=241 a2=1b6 a3=9ebe4b8 items=0 ppid=21470 pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin" exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
Also this one follows:
SELinux is preventing the qmailadmin from using potentially mislabeled files (/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux has denied qmailadmin access to potentially mislabeled file(s) (/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw). This means that SELinux will not allow qmailadmin to use these files.
Allowing Access:
If you want qmailadmin to access this files, you need to relabel them using restorecon -v '/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw'.
Additional Information:
Source Context user_u:system_r:httpd_sys_script_t Target Context user_u:object_r:user_home_t Target Objects /home/vpopmail/domains/atmyhome.org/kris_s/Maildir /1294101113.qw [ file ] Source qmailadmin Source Path /var/www/cgi-bin/qmailadmin Port <Unknown> Host host.atmyhome Source RPM Packages Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name host.atmyhome Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 i686 Alert Count 1 First Seen Mon Jan 3 15:31:53 2011 Last Seen Mon Jan 3 15:31:53 2011 Local ID 3d48d4c0-326f-4322-9354-4b71e74ee2dc Line Numbers
Raw Audit Messages
host=host.atmyhome type=AVC msg=audit(1294101113.179:2335): avc: denied { write } for pid=6717 comm="qmailadmin" path="/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw" dev=dm-2 ino=2752786 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=host.atmyhome type=SYSCALL msg=audit(1294101113.179:2335): arch=40000003 syscall=4 success=yes exit=44 a0=5 a1=b7fa2000 a2=2c a3=2c items=0 ppid=2147 0 pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin" exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
I am thinking that vpopmail should not have the context of user_home_t even though it is in the /home directory. But what to change the context to I'm not sure.
is vpopmail a user on your system? if so can show show me its entry from /etc/passwd (if this is an actual useraccount then it should be mapped to /sbin/nologin or /bin/false shells.
I guess i would look in the qmailadmin configuration to see if i can configure which location qmailadmin uses for this info and if possible i would probably change it to something like /var/lib/vpopmail and then label that dir httpd_sys_content_rw_t.
if that is not possible i then i would probably look into labelling /home/vpopmail(/.*)? httpd_sys_content_rw_t.
httpd_sys_script_t can manage httpd_sys_content_rw_t content.
Since its actually storing confidential data i would probably use the apache_content_template() to create a special domain for qmailadmin so that it is separated from your other cgi webapps.
Then you can if needed also extend that domain to allow qmailadmin whatever it needs and is not allowed already.
In conclusion:
1. is vpopmail an actual user on the system? (grep vpopmail /etc/passwd; grep qmailadmin /etc/passwd;)
2. can vpopmail/qmailadmin be configured to store it information in a specified location? (so that we can move it from /home/vpopmail to something like /var/lib/vpopmail.)
3. did vpopmail/qmailadmin install that /home/vpopmail directory? (rpm - -ql qmailadmin)
Once you have answered the questions above i can probably be more helpful.
Bless you all
Kristen
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/04/2011 10:42 AM, Dominick Grift wrote:
On 01/04/2011 02:46 AM, Kristen wrote:
I am attempting to use qmailadmin offered by http://www.inter7.com/ This is implemented by a plugin in squirrelmail. The program qmailadmin allows users to change their vpopmail passwords through the web interface.
Solutions found when searching for an answer all states "selinux enforcing will not allow qmailadmin to set uid". "Disable selinux if it is enabled".
This is not a solution I'm willing to accept.
vpopmail directory has this context:
# vpopmail vchkpw user_u:object_r:user_home_t
Summary:
SELinux is preventing the qmailadmin from using potentially mislabeled files (./1294101113.qw).
Detailed Description:
SELinux has denied qmailadmin access to potentially mislabeled file(s) (./1294101113.qw). This means that SELinux will not allow qmailadmin to use these files.
Additional Information:
Source Context user_u:system_r:httpd_sys_script_t Target Context user_u:object_r:user_home_t Target Objects ./1294101113.qw [ dir ] Source qmailadmin Source Path /var/www/cgi-bin/qmailadmin Port <Unknown> Host host.atmyhome Source RPM Packages Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name host.atmyhome Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 i686 Alert Count 1 First Seen Mon Jan 3 15:31:53 2011 Last Seen Mon Jan 3 15:31:53 2011 Local ID f2265c4e-f0eb-4578-a760-0cf0678b2216 Line Numbers
Raw Audit Messages
host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied { add_name } for pid=6717 comm="qmailadmin" name="1294101113.qw" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir
host=host.atmyhome type=AVC msg=audit(1294101113.176:2334): avc: denied { create } for pid=6717 comm="qmailadmin" name="1294101113.qw" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=host.atmyhome type=SYSCALL msg=audit(1294101113.176:2334): arch=40000003 syscall=5 success=yes exit=5 a0=8070b80 a1=241 a2=1b6 a3=9ebe4b8 items=0 ppid=21470 pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin" exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
Also this one follows:
SELinux is preventing the qmailadmin from using potentially mislabeled files (/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux has denied qmailadmin access to potentially mislabeled file(s) (/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw). This means that SELinux will not allow qmailadmin to use these files.
Allowing Access:
If you want qmailadmin to access this files, you need to relabel them using restorecon -v '/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw'.
Additional Information:
Source Context user_u:system_r:httpd_sys_script_t Target Context user_u:object_r:user_home_t Target Objects /home/vpopmail/domains/atmyhome.org/kris_s/Maildir /1294101113.qw [ file ] Source qmailadmin Source Path /var/www/cgi-bin/qmailadmin Port <Unknown> Host host.atmyhome Source RPM Packages Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name host.atmyhome Platform Linux host.atmyhome 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 i686 Alert Count 1 First Seen Mon Jan 3 15:31:53 2011 Last Seen Mon Jan 3 15:31:53 2011 Local ID 3d48d4c0-326f-4322-9354-4b71e74ee2dc Line Numbers
Raw Audit Messages
host=host.atmyhome type=AVC msg=audit(1294101113.179:2335): avc: denied { write } for pid=6717 comm="qmailadmin" path="/home/vpopmail/domains/atmyhome.org/kris_s/Maildir/1294101113.qw" dev=dm-2 ino=2752786 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=host.atmyhome type=SYSCALL msg=audit(1294101113.179:2335): arch=40000003 syscall=4 success=yes exit=44 a0=5 a1=b7fa2000 a2=2c a3=2c items=0 ppid=2147 0 pid=6717 auid=4294967295 uid=48 gid=48 euid=508 suid=508 fsuid=508 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="qmailadmin" exe="/var/www/cgi-bin/qmailadmin" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
I am thinking that vpopmail should not have the context of user_home_t even though it is in the /home directory. But what to change the context to I'm not sure.
is vpopmail a user on your system? if so can show show me its entry from /etc/passwd (if this is an actual useraccount then it should be mapped to /sbin/nologin or /bin/false shells.
I guess i would look in the qmailadmin configuration to see if i can configure which location qmailadmin uses for this info and if possible i would probably change it to something like /var/lib/vpopmail and then label that dir httpd_sys_content_rw_t.
if that is not possible i then i would probably look into labelling /home/vpopmail(/.*)? httpd_sys_content_rw_t.
httpd_sys_script_t can manage httpd_sys_content_rw_t content.
Since its actually storing confidential data i would probably use the apache_content_template() to create a special domain for qmailadmin so that it is separated from your other cgi webapps.
Then you can if needed also extend that domain to allow qmailadmin whatever it needs and is not allowed already.
In conclusion:
- is vpopmail an actual user on the system? (grep vpopmail /etc/passwd;
grep qmailadmin /etc/passwd;)
- can vpopmail/qmailadmin be configured to store it information in a
specified location? (so that we can move it from /home/vpopmail to something like /var/lib/vpopmail.)
- did vpopmail/qmailadmin install that /home/vpopmail directory? (rpm
-ql qmailadmin)
Once you have answered the questions above i can probably be more helpful.
Actually this may (or may not) be more complicated then i initially thought. Another possible solution (sub-optimal) is to label /home/vpopmail(/.*) public_content_rw_t and allow (probably amongst others) httpd_sys_script_t access to it (apache_anon_write boolean?)
It depends on your requirements. Who/what needs to be able to interact with /home/vpopmail.* (some mta, users? etc)?
Bless you all
Kristen
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org