Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Qmail: users

HOWTO: qmail's sendmail, SELinux, and apache/php

  

 
Qmail users RSS feed   Index | Next | Previous | View Threaded


qmail at hilbig

May 7, 2008, 8:44 PM

Post #1 of 4 (315 views)
Permalink
HOWTO: qmail's sendmail, SELinux, and apache/php
I'm posting this for reference as well as asking any SELinux experts to
provide feedback.

With SELinux enabled, apache/php cannot use qmail's sendmail because of
context restrictions.

Here is how to allow PHP's mailto() function to use qmail's sendmail.

This applies to CentOS Linux v5.1. It may work on other flavors/versions.

DISCLAIMER: I make no warranties, guarantees, etc. Use at your own risk.


# chcon -t httpd_sys_content_t /var/qmail/bin/sendmail
allows apache/php to invoke qmail's sendmail

# chcon -t httpd_sys_content_t /var/qmail/bin/qmail-inject
allows qmail's sendmail to invoke qmail-inject

# chcon -t httpd_sys_content_t /var/qmail/control
# chcon -t httpd_sys_content_t /var/qmail/control/defaultdomain
# chcon -t httpd_sys_content_t /var/qmail/control/deaulthost
# chcon -t httpd_sys_content_t /var/qmail/control/idhost
# chcon -t httpd_sys_content_t /var/qmail/control/plusdomain
# chcon -t httpd_sys_content_t /var/qmail/control/me
allows qmail-inject to read the control files it uses

# chcon -t httpd_sys_content_t /var/qmail/bin/qmail-queue
allows qmail-inject to invoke qmail-queue

# chcon -t httpd_sys_content_t /var/qmail/control/taps
allows qmail-queue to read the control file used by the 'taps' patch

IMPORTANT: Stop all processes that have anything to do with qmail's queue.
(qmail-queue, qmail-smtpd, etc)
We don't want any queue manipulation taking place while
making context changes to the queue.

# chcon --recursive -t httpd_sys_content_t /var/qmail/queue/pid
# chcon --recursive -t httpd_sys_content_t /var/qmail/queue/mess
# chcon --recursive -t httpd_sys_content_t /var/qmail/queue/intd
# chcon --recursive -t httpd_sys_content_t /var/qmail/queue/todo
allows qmail-queue to put a message into the queue

You can now start qmail again.


Now edit the PHP.INI file and change sendmail_path so that it references
qmail's sendmail:
sendmail_path = /var/qmail/bin/sendmail -t -i

Finally, restart apache:
# service httpd restart


DISCLAIMER: I make no warranties, guarantees, etc. Use at your own risk.


jnichols at unboundtechnology

May 8, 2008, 8:09 AM

Post #2 of 4 (296 views)
Permalink
Re: HOWTO: qmail's sendmail, SELinux, and apache/php [In reply to]
On May 7, 2008, at 11:44 PM, D. Hilbig wrote:
> With SELinux enabled, apache/php cannot use qmail's sendmail because
> of
> context restrictions.

Hadn't run into this personally yet, thanks for the heads up.


> # chcon -t httpd_sys_content_t /var/qmail/bin/sendmail
> allows apache/php to invoke qmail's sendmail

I certainly haven't tested this, so I don't mean to contradict you,
but isn't "httpd_sys_content_t" the context for html and php pages?
Since the default SELinux policies of CentOS 5 /do/ work with
sendmail, wouldn't a more logical approach be to apply the standard
sendmail contexts to the binaries? For CentOS, /usr/sbin/sendmail has
the "user_u:object_r:sbin_t" context. I'm concerned about the
security implications of the qmail binaries being treated as html
content--I'm well aware of the security of the qmail binaries
themselves, but I can conceive of an apache vector that may allow
qmail-inject to be exploited or modified if the contexts are set as
such.

Perhaps if the community could come to a consensus about the "correct"
contexts to use, Dave would consider adding some chcon lines to LWQ.
Another approach could be that netqmail 1.07 could patch the build
scripts to set context as well as permissions (assuming SELinux is
present and enabled).

I suspect within a few years SELinux will become another errno debate,
but eventually setting contexts appropriately will be a requirement
for many users.


--joshua.


qmail at hilbig

May 8, 2008, 10:25 AM

Post #3 of 4 (295 views)
Permalink
RE: HOWTO: qmail's sendmail, SELinux, and apache/php [In reply to]
Joshua,

You are right about "httpd_sys_content_t" not being the ideal context and
the security risks it poses. I just needed to get it to work. I have
posted this issue to a SELinux mailing list. Once I get feedback from the
SELinux experts I'll repost my HOW-TO.

In hindsight, I shouldn't have posted my HOW-TO just yet.



-----Original Message-----
From: Joshua Nichols [mailto:jnichols[at]unboundtechnology.com]
Sent: Thursday, May 08, 2008 8:09 AM
To: qmail[at]list.cr.yp.to
Subject: Re: HOWTO: qmail's sendmail, SELinux, and apache/php


On May 7, 2008, at 11:44 PM, D. Hilbig wrote:
> With SELinux enabled, apache/php cannot use qmail's sendmail because
> of
> context restrictions.

Hadn't run into this personally yet, thanks for the heads up.


> # chcon -t httpd_sys_content_t /var/qmail/bin/sendmail
> allows apache/php to invoke qmail's sendmail

I certainly haven't tested this, so I don't mean to contradict you,
but isn't "httpd_sys_content_t" the context for html and php pages?
Since the default SELinux policies of CentOS 5 /do/ work with
sendmail, wouldn't a more logical approach be to apply the standard
sendmail contexts to the binaries? For CentOS, /usr/sbin/sendmail has
the "user_u:object_r:sbin_t" context. I'm concerned about the
security implications of the qmail binaries being treated as html
content--I'm well aware of the security of the qmail binaries
themselves, but I can conceive of an apache vector that may allow
qmail-inject to be exploited or modified if the contexts are set as
such.

Perhaps if the community could come to a consensus about the "correct"
contexts to use, Dave would consider adding some chcon lines to LWQ.
Another approach could be that netqmail 1.07 could patch the build
scripts to set context as well as permissions (assuming SELinux is
present and enabled).

I suspect within a few years SELinux will become another errno debate,
but eventually setting contexts appropriately will be a requirement
for many users.


--joshua.


bruno at wolff

May 8, 2008, 2:16 PM

Post #4 of 4 (289 views)
Permalink
Re: HOWTO: qmail's sendmail, SELinux, and apache/php [In reply to]
On Wed, May 07, 2008 at 20:44:13 -0700,
"D. Hilbig" <qmail[at]hilbig.name> wrote:
>
> I'm posting this for reference as well as asking any SELinux experts to
> provide feedback.
>
> With SELinux enabled, apache/php cannot use qmail's sendmail because of
> context restrictions.
>
> Here is how to allow PHP's mailto() function to use qmail's sendmail.
>
> This applies to CentOS Linux v5.1. It may work on other flavors/versions.

I don't think this is the right approach. The qmail stuff should have system
or qmail type labels, not web server labels.

I am pretty sure the base selinux policy had some stuff for qmail at one
time, though I am not sure it still does.

You might try asking about this on the selinux list.

I need to to work on a similar problem using qmail on Fedora 9. I am running
in permissive mode because the targeted policy shipped with F9 is blocking
some qmail functions and I need to figure out how I should fix things.

Qmail users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.