Bug 145561 - httpd, by default, does not send email using perl scripts?
Summary: httpd, by default, does not send email using perl scripts?
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: 3
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Russell Coker
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-19 19:05 UTC by Sol
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-09-05 07:39:03 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Sol 2005-01-19 19:05:54 UTC
Description of problem:
With the default installation of Fedora fc3 [with all updates], the 
webserver daemon httpd cannot send emails using perl scripts. 
Shouldn't httpd be allowed by default to send emails using perl 
scripts? The following errors are reported in the log files:

/var/log/httpd/error_log
[Wed Jan 19 10:23:28 2005] [error] [client 192.168.1.3] Program mode 
requires special privileges, e.g., root or TrustedUser.

/var/log/messages
Jan 19 10:28:16 bugzilla kernel: audit(1106159296.344:0): avc:  
denied  { search } for  pid=6250 exe=/usr/sbin/sendmail.sendmail 
name=spool dev=md0 ino=24707108 
scontext=user_u:system_r:httpd_sys_script_t 
tcontext=system_u:object_r:var_spool_t tclass=dir
Jan 19 10:28:16 bugzilla kernel: audit(1106159296.344:0): avc:  
denied  { create } for  pid=6250 exe=/usr/sbin/sendmail.sendmail 
scontext=user_u:system_r:httpd_sys_script_t 
tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_dgram_socket


~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~
Version-Release number of selected component (if applicable):
kernel-smp-2.6.10-1.741_FC3
selinux-policy-targeted-1.17.30-2.72
sendmail-8.13.1-2
httpd-2.0.52-3.1
perl-5.8.5-9


~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~
How reproducible:
Everytime


~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~
Steps to Reproduce:
The webserver is set to execute perl scripts for the virtual host as 
reported in /etc/httpd/conf/httpd.conf
<Directory /var/www/example.com/html>
	Options +FollowSymLinks +Indexes +Includes +ExecCGI
	# Other configuration parameters

</Directory>

Sample perl script to send email similar to that of bugzilla
[root@bugzilla bugzilla] cat /var/www/example.com/html/test.cgi
#!/usr/bin/perl -w

$message = "From: bugzilla-admin-daemon\nTo: 
user\@example.com\nSubject:  Bugzilla Change Password Request\n\nYou 
(or someone impersonating you) has requested to change your 
Bugzilla\npassword.  To change your password, visit the following 
link:\nEnd of email.\n\n";

print "Content-Type: text/html; charset=ISO-8859-1\n\n";
print "------------------------------------------\n";

open SENDMAIL, "|/usr/lib/sendmail -t -i";
print SENDMAIL $message;
close SENDMAIL;

print "------------------------------------------\n";
print "Mail Sent\n";


[root@bugzilla bugzilla]# ls -Z test.cgi
-rwxr-x---  root     apache   
system_u:object_r:httpd_sys_content_test.cgi


webserver output as reported by the browser
------------------------------------------
can not chdir(/var/spool/clientmqueue/): Permission denied
------------------------------------------
Mail Sent


~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~  
Actual results:
The webserver executes the perl scripts and silently ignores sending 
the email.


~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~
Expected results:
WebServer daemon httpd running with regular user "apache" should be 
able to send emails using perl scripts?


~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~
Additional info:

Comment 1 Daniel Walsh 2005-01-19 21:53:36 UTC
Newer policy should handle this, You may need to relabel 
sendmail though.

Update policy and then
rpm -q -l sendmail | restorecon -R -v -f -


Note You need to log in before you can comment on or make changes to this bug.