Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Qmail: users

qmail's sendmail, SELinux, and apache/php

  

 
Qmail users RSS feed   Index | Next | Previous | View Threaded


qmail at hilbig

May 6, 2008, 5:38 PM

Post #1 of 2 (238 views)
Permalink
qmail's sendmail, SELinux, and apache/php
I'm trying to allow apache/php to send email via qmail's sendmail program
but SELinux (on CentOS v5.1) is giving me a bit of a hassle.

I will not disable SELinux so I need to tweak the policy to allow it to
work.

Here's what I've got so far:


# chcon -t httpd_sys_content_t /var/qmail/bin/sendmail
allows apache/php to invoke qmail's sendmail

# chcon -t httpd_sys_content_t /var/qmail/bin/qmail-inject
allows qmail's sendmail to invoke qmail-inject

# chcon -t httpd_sys_content_t /var/qmail/control/defaultdomain
# chcon -t httpd_sys_content_t /var/qmail/control/deaulthost
# chcon -t httpd_sys_content_t /var/qmail/control/idhost
# chcon -t httpd_sys_content_t /var/qmail/control/plusdomain
# chcon -t httpd_sys_content_t /var/qmail/control/me
allows qmail-inject to read the control files it uses

# chcon -t httpd_sys_content_t /var/qmail/bin/qmail-queue
allows qmail-inject to invoke qmail-queue


Here's where I'm stuck...

What policy changes do I need to make to /var/qmail/queue to allow
qmail-queue to put a message in the queue WITHOUT making the SELinux
policy looser than it needs to be? I'm using the BIG-EXT-TODO patch.


Any help you can offer is appreciated.


jms1 at jms1

May 9, 2008, 4:25 PM

Post #2 of 2 (204 views)
Permalink
Re: qmail's sendmail, SELinux, and apache/php [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2008-05-06, at 2038, D. Hilbig wrote:
>
> I'm trying to allow apache/php to send email via qmail's sendmail
> program
> but SELinux (on CentOS v5.1) is giving me a bit of a hassle.
>
> I will not disable SELinux so I need to tweak the policy to allow it
> to
> work.
>
> Here's what I've got so far:

i'm not an expert with SELinux, but i paid close attention during two
presentations about it at the local linux user group meeting-
presentations given by steve grubb, from redhat, whose job (at least
in part) is writing the SELinux policies and tools for fedora.

which means i have somewhat of an understanding of how it works, but
i'm not overly familiar with the specific commands involved (my
clients have been keeping me too busy with paying work for me to learn
it through experimentation, which is how i validate what i *think*
i've picked up through "book learning"...)

so take this with a very large grain of salt.

> # chcon -t httpd_sys_content_t /var/qmail/bin/sendmail
> allows apache/php to invoke qmail's sendmail
>
> # chcon -t httpd_sys_content_t /var/qmail/bin/qmail-inject
> allows qmail's sendmail to invoke qmail-inject
>
> # chcon -t httpd_sys_content_t /var/qmail/control/defaultdomain
> # chcon -t httpd_sys_content_t /var/qmail/control/deaulthost
> # chcon -t httpd_sys_content_t /var/qmail/control/idhost
> # chcon -t httpd_sys_content_t /var/qmail/control/plusdomain
> # chcon -t httpd_sys_content_t /var/qmail/control/me
> allows qmail-inject to read the control files it uses


these all make perfect sense, because both "sendmail" and "qmail-
inject" are likely to be called by CGI, PHP, and other web-driven
scripts.


> # chcon -t httpd_sys_content_t /var/qmail/bin/qmail-queue
> allows qmail-inject to invoke qmail-queue

i remember hearing about a way to set things up so that when "program
a" (i.e. qmail-inject) runs "program b" (i.e. qmail-queue), it can
change the context under which it's running at the same time- similar
to the idea of a "setuid" flag on the executable, except with finer
control (i.e. if qmail-inject runs qmail-queue, and qmail-inject is
running under the "httpd_sys_content_t" context, then change the
context to something else... but if some script tries to run qmail-
queue directly, or qmail-inject isn't running under that specific
context, then don't change it.)

i think that's the avenue you need to explore. as it stands right now,
whatever context your qmail-smtpd processes run as, when THEY call
qmail-queue, it's already in the correct context to do its job
(otherwise you wouldn't have any incoming mail.) i think i would try
to write a policy where if qmail-inject, running under the
"httpd_sys_content_t" context, wants to run qmail-queue, it "changes
to" the whatever context under which qmail-queue runs when qmail-smtpd
executes it.

i'm sorry i can't provide any more concrete information than that, but
since you're presumably neck-deep in SELinux policy files anyway,
hopefully this will give you enough of an idea to figure out the
mechanics on your own.

you may also want to find the redhat mailing list where they talk
about developing the selinux tools, and ask there. chances are you'll
find the person who originally wrote whatever policy file is allowing
qmail to run right now, and he'll be able to tell you exactly what
needs to be changed (and probably add those changes to a future fedora
release as well.)

good luck, let us know what you find out. i'm sure you're not the only
one looking at, if not wrestling with, SELinux on this list.

- --------------------------------------------------------
| John M. Simpson -- KG4ZOW -- Programmer At Large |
| http://www.jms1.net/ <jms1[at]jms1.net> |
- --------------------------------------------------------
| Hope for America -- http://www.ronpaul2008.com/ |
- --------------------------------------------------------





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkgk3WsACgkQEB9RczMG/PucRACgpiqF+lWwmcvB0R+yLzj9toAn
jZMAn3V7Xom6KU6KB9ltWDQLhBLrQ0gw
=4zpY
-----END PGP SIGNATURE-----

Qmail users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.