Red Hat Bugzilla – Bug 145561
httpd, by default, does not send email using perl scripts?
Last modified: 2007-11-30 17:10:58 EST
Description of problem: With the default installation of Fedora fc3 [with all updates], the webserver daemon httpd cannot send emails using perl scripts. Shouldn't httpd be allowed by default to send emails using perl scripts? The following errors are reported in the log files: /var/log/httpd/error_log [Wed Jan 19 10:23:28 2005] [error] [client 192.168.1.3] Program mode requires special privileges, e.g., root or TrustedUser. /var/log/messages Jan 19 10:28:16 bugzilla kernel: audit(1106159296.344:0): avc: denied { search } for pid=6250 exe=/usr/sbin/sendmail.sendmail name=spool dev=md0 ino=24707108 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir Jan 19 10:28:16 bugzilla kernel: audit(1106159296.344:0): avc: denied { create } for pid=6250 exe=/usr/sbin/sendmail.sendmail scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_dgram_socket ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ Version-Release number of selected component (if applicable): kernel-smp-2.6.10-1.741_FC3 selinux-policy-targeted-1.17.30-2.72 sendmail-8.13.1-2 httpd-2.0.52-3.1 perl-5.8.5-9 ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ How reproducible: Everytime ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ Steps to Reproduce: The webserver is set to execute perl scripts for the virtual host as reported in /etc/httpd/conf/httpd.conf <Directory /var/www/example.com/html> Options +FollowSymLinks +Indexes +Includes +ExecCGI # Other configuration parameters </Directory> Sample perl script to send email similar to that of bugzilla [root@bugzilla bugzilla] cat /var/www/example.com/html/test.cgi #!/usr/bin/perl -w $message = "From: bugzilla-admin-daemon\nTo: user\@example.com\nSubject: Bugzilla Change Password Request\n\nYou (or someone impersonating you) has requested to change your Bugzilla\npassword. To change your password, visit the following link:\nEnd of email.\n\n"; print "Content-Type: text/html; charset=ISO-8859-1\n\n"; print "------------------------------------------\n"; open SENDMAIL, "|/usr/lib/sendmail -t -i"; print SENDMAIL $message; close SENDMAIL; print "------------------------------------------\n"; print "Mail Sent\n"; [root@bugzilla bugzilla]# ls -Z test.cgi -rwxr-x--- root apache system_u:object_r:httpd_sys_content_test.cgi webserver output as reported by the browser ------------------------------------------ can not chdir(/var/spool/clientmqueue/): Permission denied ------------------------------------------ Mail Sent ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ Actual results: The webserver executes the perl scripts and silently ignores sending the email. ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ Expected results: WebServer daemon httpd running with regular user "apache" should be able to send emails using perl scripts? ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ Additional info:
Newer policy should handle this, You may need to relabel sendmail though. Update policy and then rpm -q -l sendmail | restorecon -R -v -f -