Bug 479821
Summary: | selinux preventing sendmail to read files targeted as httpd_t | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | extremoburo <extremoburo> |
Component: | httpd | Assignee: | Joe Orton <jorton> |
Status: | CLOSED DEFERRED | QA Contact: | BaseOS QE <qe-baseos-auto> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.2 | CC: | atontti+rh, dwalsh |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-02-26 08:16:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
extremoburo
2009-01-13 12:14:18 UTC
installed selinux: selinux-policy-2.4.6-137.1.el5 This is pretty strange and I have never seen it before or in Fedora releases. Probably is not blocking any thing of use, Are you receiving email? I've just set SElinux to enforce mode and it looks like no one is suffering because of that. I'll let you know any news I have seen this with CentOS5. It seems that httpd is leaking file descriptors when it is forking sendmail. type=AVC msg=audit(1235275202.224:934): avc: denied { read } for pid=18556 comm="sendmail" path="eventpoll:[245714]" dev=eventpollfs ino=245714 scontext=system_u:system_r:system_mail_t:s0 tcontext=sys tem_u:system_r:httpd_t:s0 tclass=file lsof command shows COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME httpd 3194 apache 14r 0000 0,10 0 245714 eventpoll so SELinux is preventing sendmail accessing httpd's eventpoll, which seems correct thing to do. From what are you invoking sendmail? A php script? Expected behaviour, if so. (It's due to an impedance mismatch between the httpd API which prevents fd leaks, and the PHP code, which doesn't use it) > From what are you invoking sendmail?
PHP program which uses PHPMailer. PHPMailer then runs sendmail with popen().
Right, expected behaviour then, I'm afraid. This should get fixed in some future release when O_CLOEXEC support is integrated properly into APR, but this is unlikely to be suitable to backport to RHEL5. Adding dontaudit to selinux-policy-2.4.6-216.el5 |