RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1754622 - Regression: httpd_can_sendmail=1 still forbids /usr/sbin/sendmail via PHP mail()
Summary: Regression: httpd_can_sendmail=1 still forbids /usr/sbin/sendmail via PHP mail()
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.7
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-23 18:02 UTC by Robert Scheck
Modified: 2019-12-26 22:36 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-09 14:18:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Robert Scheck 2019-09-23 18:02:19 UTC 
Description of problem:
Since RHEL 7.7, the SELinux policy seems to forbid PHP mail() to call the
/usr/sbin/sendmail command, even if SELinux boolean httpd_can_sendmail=1:

type=AVC msg=audit(1569261420.538:1172504): avc:  denied  { execute } for  pid=9780 comm="sendmail" name="smtpd" dev="sda3" ino=528933 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:postfix_smtpd_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1569261420.538:1172504): arch=c000003e syscall=59 success=no exit=-13 a0=563f8d566bc0 a1=563f8d566b60 a2=563f8d5669a0 a3=4 items=0 ppid=24880 pid=9780 auid=4294967295 uid=1010 gid=1008 euid=1010 suid=1010 fsuid=1010 egid=1008 sgid=1008 fsgid=1008 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null)
type=PROCTITLE msg=audit(1569261420.538:1172504): proctitle=2F7573722F7362696E2F73656E646D61696C002D6273

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-252.el7.1.noarch
selinux-policy-targeted-3.13.1-252.el7.1.noarch

How reproducible:
See above.

Actual results:
httpd_can_sendmail=1 still forbids /usr/sbin/sendmail via PHP mail()

Expected results:
Regular PHP mail() usage (which calls /usr/sbin/sendmail in background).
Comment 2 Robert Scheck 2019-09-23 18:07:07 UTC 
A simple (non-minimal) reproducer seems to be RHEL 7.7 with PHP-FPM 7.x (either from Remi or from SCL) and latest ownCloud which is configured to mail send mode "PHP".

Cross-filed ticket 02478480 at the Red Hat customer portal.
Comment 3 Zdenek Pytela 2019-09-27 09:15:01 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. The next minor release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
Comment 4 Robert Scheck 2019-09-27 13:31:03 UTC 
I am sorry, this is not acceptable. Red Hat introduced a regression and now refuses to fix it. I already requested an escalation via ticket 02478480 at the Red Hat customer portal.
Comment 5 Milos Malik 2019-10-02 12:01:54 UTC 
# rpm -qa httpd\* postfix\* selinux-policy\* php\* | sort
httpd-2.4.6-90.el7.x86_64
httpd-manual-2.4.6-90.el7.noarch
httpd-tools-2.4.6-90.el7.x86_64
php-cli-5.4.16-46.el7.x86_64
php-common-5.4.16-46.el7.x86_64
php-fpm-5.4.16-46.el7.x86_64
postfix-2.10.1-7.el7.x86_64
selinux-policy-3.13.1-252.el7.noarch
selinux-policy-targeted-3.13.1-252.el7.noarch

Following scenario uses PHP instead of PHP-FPM and it works in enforcing mode:

# cat /var/www/html/sendemail.php 
<?php
   $to_email = "mmalik";
   $subject = "Simple Email Test via PHP";
   $body = "Hi, This is test email send by PHP Script";
   $headers = "From: root";
 
   if ( mail($to_email, $subject, $body, $headers)) {
      echo("Email successfully sent to $to_email...");
   } else {
      echo("Email sending failed...");
   }
?>
# service httpd start
Redirecting to /bin/systemctl start httpd.service
# service postfix start
Redirecting to /bin/systemctl start postfix.service
# setsebool httpd_can_sendmail on
# curl http://localhost.localdomain/sendemail.php
Email successfully sent to mmalik...
# ausearch -m avc -i
<no matches>
#
Comment 8 Milos Malik 2019-12-09 14:17:01 UTC 
Please let us know which scenario you use to trigger the SELinux denial mentioned in comment#0. I expect that you use a different scenario than what is shown in comment#5.
Comment 9 Lukas Vrabec 2019-12-09 14:18:22 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. Current minor release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
Note You need to log in before you can comment on or make changes to this bug.