Bug 1754622

Summary:	Regression: httpd_can_sendmail=1 still forbids /usr/sbin/sendmail via PHP mail()
Product:	Red Hat Enterprise Linux 7	Reporter:	Robert Scheck <redhat-bugzilla>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED WONTFIX	QA Contact:	Milos Malik <mmalik>
Severity:	high	Docs Contact:
Priority:	medium
Version:	7.7	CC:	apmukher, chrisw, cww, lvrabec, mmalik, plautrba, robert.scheck, sbroz, ssekidde, vmojzis, zpytela
Target Milestone:	rc	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-12-09 14:18:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Robert Scheck 2019-09-23 18:02:19 UTC

Description of problem:
Since RHEL 7.7, the SELinux policy seems to forbid PHP mail() to call the
/usr/sbin/sendmail command, even if SELinux boolean httpd_can_sendmail=1:

type=AVC msg=audit(1569261420.538:1172504): avc:  denied  { execute } for  pid=9780 comm="sendmail" name="smtpd" dev="sda3" ino=528933 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:postfix_smtpd_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1569261420.538:1172504): arch=c000003e syscall=59 success=no exit=-13 a0=563f8d566bc0 a1=563f8d566b60 a2=563f8d5669a0 a3=4 items=0 ppid=24880 pid=9780 auid=4294967295 uid=1010 gid=1008 euid=1010 suid=1010 fsuid=1010 egid=1008 sgid=1008 fsgid=1008 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null)
type=PROCTITLE msg=audit(1569261420.538:1172504): proctitle=2F7573722F7362696E2F73656E646D61696C002D6273

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-252.el7.1.noarch
selinux-policy-targeted-3.13.1-252.el7.1.noarch

How reproducible:
See above.

Actual results:
httpd_can_sendmail=1 still forbids /usr/sbin/sendmail via PHP mail()

Expected results:
Regular PHP mail() usage (which calls /usr/sbin/sendmail in background).

Comment 2 Robert Scheck 2019-09-23 18:07:07 UTC

A simple (non-minimal) reproducer seems to be RHEL 7.7 with PHP-FPM 7.x (either from Remi or from SCL) and latest ownCloud which is configured to mail send mode "PHP".

Cross-filed ticket 02478480 at the Red Hat customer portal.

Comment 3 Zdenek Pytela 2019-09-27 09:15:01 UTC

This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. The next minor release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Comment 4 Robert Scheck 2019-09-27 13:31:03 UTC

I am sorry, this is not acceptable. Red Hat introduced a regression and now refuses to fix it. I already requested an escalation via ticket 02478480 at the Red Hat customer portal.

Comment 5 Milos Malik 2019-10-02 12:01:54 UTC

# rpm -qa httpd\* postfix\* selinux-policy\* php\* | sort
httpd-2.4.6-90.el7.x86_64
httpd-manual-2.4.6-90.el7.noarch
httpd-tools-2.4.6-90.el7.x86_64
php-cli-5.4.16-46.el7.x86_64
php-common-5.4.16-46.el7.x86_64
php-fpm-5.4.16-46.el7.x86_64
postfix-2.10.1-7.el7.x86_64
selinux-policy-3.13.1-252.el7.noarch
selinux-policy-targeted-3.13.1-252.el7.noarch

Following scenario uses PHP instead of PHP-FPM and it works in enforcing mode:

# cat /var/www/html/sendemail.php 
<?php
   $to_email = "mmalik";
   $subject = "Simple Email Test via PHP";
   $body = "Hi, This is test email send by PHP Script";
   $headers = "From: root";
 
   if ( mail($to_email, $subject, $body, $headers)) {
      echo("Email successfully sent to $to_email...");
   } else {
      echo("Email sending failed...");
   }
?>
# service httpd start
Redirecting to /bin/systemctl start httpd.service
# service postfix start
Redirecting to /bin/systemctl start postfix.service
# setsebool httpd_can_sendmail on
# curl http://localhost.localdomain/sendemail.php
Email successfully sent to mmalik...
# ausearch -m avc -i
<no matches>
#

Comment 8 Milos Malik 2019-12-09 14:17:01 UTC

Please let us know which scenario you use to trigger the SELinux denial mentioned in comment#0. I expect that you use a different scenario than what is shown in comment#5.

Comment 9 Lukas Vrabec 2019-12-09 14:18:22 UTC

This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. Current minor release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.