Bug 479821

Summary: selinux preventing sendmail to read files targeted as httpd_t
Product: Red Hat Enterprise Linux 5 Reporter: extremoburo <extremoburo>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED DEFERRED QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.2CC: atontti+rh, dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-26 08:16:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description extremoburo 2009-01-13 12:14:18 UTC 
Description of problem:

type=AVC msg=audit(1231842874.365:12653): avc:  denied  { read } for  pid=16853 comm="sendmail" path="eventpoll:[2710364]" dev=eventpollfs ino=2710364 scontext=root:system_r:system_mail_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=file

I can solve it out with this custom policy:

require {
        type httpd_t;
        type system_mail_t;
        class file read;
}

#============= system_mail_t ==============
allow system_mail_t httpd_t:file read;


Version-Release number of selected component (if applicable):
postfix-2.3.3-2.1.el5_2 (sendmail.postfix)

Additional info:

OS: Centos 5.2
Comment 1 extremoburo 2009-01-13 12:15:29 UTC 
installed selinux: selinux-policy-2.4.6-137.1.el5
Comment 2 Daniel Walsh 2009-01-13 15:20:29 UTC 
This is pretty strange and I have never seen it before or in Fedora releases.  Probably is not blocking any thing of use,  Are you receiving email?
Comment 3 extremoburo 2009-01-13 16:02:42 UTC 
I've just set SElinux to enforce mode and it looks like no one is suffering because of that. I'll let you know any news
Comment 4 Asko Tontti 2009-02-22 21:39:38 UTC 
I have seen this with CentOS5. It seems that httpd is leaking file descriptors when it is forking sendmail.

type=AVC msg=audit(1235275202.224:934): avc:  denied  { read } for  pid=18556 comm="sendmail" path="eventpoll:[245714]" dev=eventpollfs ino=245714 scontext=system_u:system_r:system_mail_t:s0 tcontext=sys
tem_u:system_r:httpd_t:s0 tclass=file

lsof command shows
COMMAND     PID      USER   FD      TYPE             DEVICE       SIZE       NODE NAME
httpd      3194    apache   14r     0000               0,10          0     245714 eventpoll

so SELinux is preventing sendmail accessing httpd's eventpoll, which seems correct thing to do.
Comment 5 Joe Orton 2009-02-23 16:45:46 UTC 
From what are you invoking sendmail?  A php script?  Expected behaviour, if so.  (It's due to an impedance mismatch between the httpd API which prevents fd leaks, and the PHP code, which doesn't use it)
Comment 6 Asko Tontti 2009-02-25 18:20:16 UTC 
> From what are you invoking sendmail?

PHP program which uses PHPMailer. PHPMailer then runs sendmail with popen().
Comment 7 Joe Orton 2009-02-26 08:16:51 UTC 
Right, expected behaviour then, I'm afraid.

This should get fixed in some future release when O_CLOEXEC support is integrated properly into APR, but this is unlikely to be suitable to backport to RHEL5.
Comment 8 Daniel Walsh 2009-02-26 14:12:32 UTC 
Adding dontaudit to selinux-policy-2.4.6-216.el5