[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Squirrelmail forward plugin



Nicklas Norling wrote:

Hi,

I've compiled a local policy for the squirrel plugin mail_fwd found at
http://www.squirrelmail.org/plugin_view.php?id=16.

The minimum required for creating and removing a users .forward file is:

allow httpd_sys_script_t self:capability { setgid setuid };
allow httpd_sys_script_t user_home_dir_t:dir { write add_name remove_name };
allow httpd_sys_script_t user_home_dir_t:file { write create getattr unlink };


Seems like we need policy for the plugin. IE a domain has to be written for it. Maybe a squirrel_helper_exec_t, squirrel_helper_t.

Are these appropriate for inclusion in the next targetted policy or should I
send this info for inclusion in the plugins docs? Seems like an awful lot of rights
to hand out?


The plugin has 18000 downloads according to their webpage.
/Nicke

Nicklas Norling wrote:

Hi.

Just noted a user tried to add .forward by using the forwarding module in squirrelmail.

Jul 20 00:56:52 spock kernel: audit(1121813812.917:1844): avc: denied { setgid } for pid=24466 comm="wfwd" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability

httpd log:
/usr/local/sbin/wfwd: Operation not permitted

[root spock html]# audit2allow -d -l
allow httpd_sys_script_t self:capability setgid;

The tool used is wfwd.

<snip>

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list



--



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]