QmailAdmin / Patches / #18 qmailadmin with selinux (addition to FAQ)

#18 qmailadmin with selinux (addition to FAQ)

Status: open-accepted

Owner: Matt Brookings

Labels: None

Priority: 9

Updated: 2009-08-14

Created: 2005-01-05

Creator: Nerijus Baliūnas

Private: No

If you get "cannot read assign file" when logging in,
it means SELinux (as in Fedora Core 3 for example) does
not let the qmailadmin cgi script to read/write some
files. I watched /var/log/messages for "avc: denied"
messages, and found the rules needed to create and
delete an account:

yum install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy
vi domains/misc/local.te
paste the following 3 lines:

allow httpd_sys_script_t var_t:lnk_file { read };
allow httpd_sys_script_t user_home_t:dir { search read
getattr write add_name remove_name create setattr rmdir };
allow httpd_sys_script_t user_home_t:file { read write
getattr create setattr rename lock unlink };

make reload
service httpd restart

Or, instead of the above, you can change the types of
files and directories which qmailadmin touches with:

chcon -t httpd_sys_script_rw_t <files and directories>

Discussion

Nerijus Baliūnas - 2005-03-31

Logged In: YES
user_id=3416

The 3rd "allow" line should have 'append' also:
allow httpd_sys_script_t user_home_t:file { read write
getattr create setattr rename lock unlink append };

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Matt Brookings - 2009-08-14

Thank you

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Matt Brookings - 2009-08-14

priority: 5 --> 9

assigned_to: nobody --> volz0r

status: open --> open-accepted
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

qmailadmin with selinux (addition to FAQ)

Group

Searches

Help

#18 qmailadmin with selinux (addition to FAQ)

Discussion