[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Squirrelmail forward plugin

Nicklas Norling wrote:


I've compiled a local policy for the squirrel plugin mail_fwd found at

The minimum required for creating and removing a users .forward file is:

allow httpd_sys_script_t self:capability { setgid setuid };
allow httpd_sys_script_t user_home_dir_t:dir { write add_name remove_name };
allow httpd_sys_script_t user_home_dir_t:file { write create getattr unlink };

Seems like we need policy for the plugin. IE a domain has to be written for it. Maybe a squirrel_helper_exec_t, squirrel_helper_t.

Are these appropriate for inclusion in the next targetted policy or should I
send this info for inclusion in the plugins docs? Seems like an awful lot of rights
to hand out?

The plugin has 18000 downloads according to their webpage.

Nicklas Norling wrote:


Just noted a user tried to add .forward by using the forwarding module in squirrelmail.

Jul 20 00:56:52 spock kernel: audit(1121813812.917:1844): avc: denied { setgid } for pid=24466 comm="wfwd" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability

httpd log:
/usr/local/sbin/wfwd: Operation not permitted

[root spock html]# audit2allow -d -l
allow httpd_sys_script_t self:capability setgid;

The tool used is wfwd.


fedora-selinux-list mailing list
fedora-selinux-list redhat com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]