From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 Description of problem: SELinux issues a "name_connect" denial when I attempt to submit a trouble ticket in the PHP package I am using, which calls a perl script that interfaces with sendmail, port 25 on loopback. All the appropriate booleans are set in order to grant apache access to make TCP connections. To ensure that perl is not the culprit, I wrote this snippet of perl which SELinux did not deny: #!/usr/local/bin/perl use MIME::Base64; use strict; # send reply message to the ticket owner open(MAIL, "| /usr/lib/sendmail -t"); print MAIL "From: aastaneh@cmax2,com\n"; print MAIL "To: mysticmichael@hotmailcom\n"; print MAIL "Subject: Test to see if SELinux hates perl\n\n"; print MAIL "\This is the test.\n"; close(MAIL); I was able to disable this denial by inserting this line from audit2allow to the sourcefile local.te and recompile the policy: allow system_mail_t smtp_port_t:tcp_socket name_connect; However I believe that is not the proper solution to this problem. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Install Fedora Core III with httpd, php, mysql, mysqld, php-mysql, sendmail 2.Update Packages & Kernel to current (2.6.12 and beyond) 3.Set appropriate SELinux Booleans: allow_execmem --> active allow_execmod --> active allow_execstack --> active allow_kerberos --> inactive allow_ypbind --> inactive dhcpd_disable_trans --> inactive httpd_builtin_scripting --> active httpd_can_network_connect --> active httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> active httpd_ssi_exec --> active httpd_tty_comm --> inactive httpd_unified --> active mysqld_disable_trans --> inactive named_disable_trans --> inactive named_write_master_zones --> inactive nscd_disable_trans --> inactive ntpd_disable_trans --> inactive portmap_disable_trans --> inactive postgresql_disable_trans --> inactive read_default_t --> active snmpd_disable_trans --> inactive squid_connect_any --> inactive squid_disable_trans --> inactive syslogd_disable_trans --> inactive use_nfs_home_dirs --> inactive use_samba_home_dirs --> inactive winbind_disable_trans --> inactive ypbind_disable_trans --> inactive 4.Install phpSupport http://phpsupport.jynx.net/ 5.Create Trouble Ticket (which calls a perl script to connect to sendmail) Actual Results: Sep 20 13:32:38 testapache kernel: audit(1127237558.889:12): avc: denied { name_connect } for pid=23913 comm="sendmail" dest=25 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket Expected Results: Apache/PHP should have been able to call the perl script and send two emails without SELinux issuing a denial- if that is something that should be disabled by default, there should exist an seboolean for it that can be changed. Additional info:
That is the proper fix. And it is fixed in FC4 and Rawhide. I don't intend to update FC3 policy at this time, but your workaround is fine.