Bug 168874 - SELinux denies sendmail "name_connect" through httpd to php to perl
SELinux denies sendmail "name_connect" through httpd to php to perl
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-20 16:16 EDT by Amin Astaneh
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-21 14:31:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Amin Astaneh 2005-09-20 16:16:27 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4

Description of problem:
SELinux issues a "name_connect" denial when I attempt to submit a trouble ticket in the PHP package I am using, which calls a perl script that interfaces with sendmail, port 25 on loopback. All the appropriate booleans are set in order to grant apache access to make TCP connections. To ensure that perl is not the culprit, I wrote this snippet of perl which SELinux did not deny:

#!/usr/local/bin/perl

use MIME::Base64;
use strict;

#  send reply message to the ticket owner
open(MAIL, "| /usr/lib/sendmail -t");
print MAIL "From: aastaneh@cmax2,com\n";
print MAIL "To: mysticmichael@hotmailcom\n";
print MAIL "Subject: Test to see if SELinux hates perl\n\n";
print MAIL "\This is the test.\n";

close(MAIL);

I was able to disable this denial by inserting this line from audit2allow to
the sourcefile local.te and recompile the policy:

allow system_mail_t smtp_port_t:tcp_socket name_connect;

However I believe that is not the proper solution to this problem. 

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Install Fedora Core III with httpd, php, mysql, mysqld, php-mysql, sendmail
2.Update Packages & Kernel to current (2.6.12 and beyond)
3.Set appropriate SELinux Booleans:

allow_execmem --> active
allow_execmod --> active
allow_execstack --> active
allow_kerberos --> inactive
allow_ypbind --> inactive
dhcpd_disable_trans --> inactive
httpd_builtin_scripting --> active
httpd_can_network_connect --> active
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_tty_comm --> inactive
httpd_unified --> active
mysqld_disable_trans --> inactive
named_disable_trans --> inactive
named_write_master_zones --> inactive
nscd_disable_trans --> inactive
ntpd_disable_trans --> inactive
portmap_disable_trans --> inactive
postgresql_disable_trans --> inactive
read_default_t --> active
snmpd_disable_trans --> inactive
squid_connect_any --> inactive
squid_disable_trans --> inactive
syslogd_disable_trans --> inactive
use_nfs_home_dirs --> inactive
use_samba_home_dirs --> inactive
winbind_disable_trans --> inactive
ypbind_disable_trans --> inactive

4.Install phpSupport http://phpsupport.jynx.net/
5.Create Trouble Ticket (which calls a perl script to connect to sendmail)
  

Actual Results:  Sep 20 13:32:38 testapache kernel: audit(1127237558.889:12): avc:  denied  { name_connect } for  pid=23913 comm="sendmail" dest=25 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket


Expected Results:  Apache/PHP should have been able to call the perl script and send two emails without SELinux issuing a denial- if that is something that should be disabled by
default, there should exist an seboolean for it that can be changed. 

Additional info:
Comment 1 Daniel Walsh 2005-09-21 14:31:50 EDT
That is the proper fix.  And it is fixed in FC4 and Rawhide.  I don't intend to
update FC3 policy at this time, but your workaround is fine.

Note You need to log in before you can comment on or make changes to this bug.