Description of problem: nginx with php-fpm (httpd_t) application runs /usr/sbin/sendmail to send outgoing mail. I was surprised to find a great many AVC denials with postfix and httpd_t as this is a fairly common server configuration. Perhaps there should be some kind of boolean for this? Version-Release number of selected component (if applicable): selinux-policy-targeted-3.12.1-74.8.fc19.noarch php-fpm-5.5.4-1.fc19.x86_64 nginx-1.4.2-1.fc19.x86_64 type=AVC msg=audit(1381120734.077:222): avc: denied { write } for pid=5597 comm="postdrop" name="maildrop" dev="vda1" ino=6686100 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir type=AVC msg=audit(1381120734.077:222): avc: denied { add_name } for pid=5597 comm="postdrop" name="77376.5597" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir type=AVC msg=audit(1381120734.077:222): avc: denied { create } for pid=5597 comm="postdrop" name="77376.5597" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1381120734.077:222): avc: denied { read write open } for pid=5597 comm="postdrop" path="/var/spool/postfix/maildrop/77376.5597" dev="vda1" ino=6706301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1381122059.229:278): avc: denied { remove_name } for pid=6099 comm="postdrop" name="229172.6099" dev="vda1" ino=6695755 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir type=AVC msg=audit(1381122059.229:278): avc: denied { rename } for pid=6099 comm="postdrop" name="229172.6099" dev="vda1" ino=6695755 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1381122124.069:288): avc: denied { write } for pid=7704 comm="postdrop" name="pickup" dev="vda1" ino=6684900 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=sock_file type=AVC msg=audit(1381120734.077:223): avc: denied { getattr } for pid=5597 comm="postdrop" path="/var/spool/postfix/maildrop/77376.5597" dev="vda1" ino=6706301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1381120734.077:224): avc: denied { remove_name } for pid=5597 comm="postdrop" name="77376.5597" dev="vda1" ino=6706301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir type=AVC msg=audit(1381120734.077:224): avc: denied { rename } for pid=5597 comm="postdrop" name="77376.5597" dev="vda1" ino=6706301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1381120734.077:225): avc: denied { setattr } for pid=5597 comm="postdrop" name="12F6966547D" dev="vda1" ino=6706301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1381124660.664:320): avc: denied { remove_name } for pid=24591 comm="postdrop" name="666047.24591" dev="vda1" ino=6692534 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir type=AVC msg=audit(1381125407.259:383): avc: denied { getattr } for pid=3261 comm="postdrop" path="/var/spool/postfix/public/pickup" dev="vda1" ino=6684900 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=sock_file type=AVC msg=audit(1381125407.260:384): avc: denied { connectto } for pid=3261 comm="postdrop" path="/var/spool/postfix/public/pickup" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1381125407.251:380): avc: denied { read } for pid=3260 comm="sendmail" name="main.cf" dev="vda1" ino=2632128 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file type=AVC msg=audit(1381125407.251:380): avc: denied { open } for pid=3260 comm="sendmail" path="/etc/postfix/main.cf" dev="vda1" ino=2632128 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file type=AVC msg=audit(1381125407.251:381): avc: denied { getattr } for pid=3260 comm="sendmail" path="/etc/postfix/main.cf" dev="vda1" ino=2632128 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file type=AVC msg=audit(1381125407.252:382): avc: denied { search } for pid=3260 comm="sendmail" name="postfix" dev="vda1" ino=6686088 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
These additional denials appeared only after I enabled enforcing mode. type=AVC msg=audit(1381127049.290:432): avc: denied { search } for pid=29981 comm="sendmail" name="postfix" dev="vda1" ino=2621441 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir type=AVC msg=audit(1381127514.601:461): avc: denied { search } for pid=5177 comm="postdrop" name="maildrop" dev="vda1" ino=6686100 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir type=AVC msg=audit(1381127717.386:471): avc: denied { search } for pid=8174 comm="postdrop" name="public" dev="vda1" ino=6686112 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=dir
I added changes for it to RHEL. Lukas, could you back port them?
Wouldn't that be a forward port? =) I certainly hope this fix also goes into $NEXT_RHEL.
It should we always work in upstream first,
back ported to f20 and f19. commit 57cb05b0618ca7584636f422510fbc6e668db623 Author: Lukas Vrabec <lvrabec> Date: Tue Oct 15 10:15:39 2013 +0200 Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop commit 710317b57d0fd4d48d679cc605a0a02c3aa05582 Author: Lukas Vrabec <lvrabec> Date: Tue Oct 15 10:10:26 2013 +0200 Add postfix_rw_spool_maildrop_files interface
selinux-policy-3.12.1-74.10.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.10.fc19
Confirmed, working great!
Package selinux-policy-3.12.1-74.10.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.10.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-19368/selinux-policy-3.12.1-74.10.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.10.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.