Bug 197627 - php mail() function disabled by SELinux
Summary: php mail() function disabled by SELinux
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
: 197628 197629 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2006-07-04 23:30 UTC by Kirk Smith
Modified: 2007-11-30 22:11 UTC (History)
0 users

Clone Of:
Last Closed: 2006-08-11 19:16:45 UTC

Attachments (Terms of Use)

Description Kirk Smith 2006-07-04 23:30:27 UTC
Description of problem:
Use of the mail function found in php does not send mail.  selinux reports a 
avc: denied { execute } .. comm="httpd" name="bash" .....
The mail() built-in function should work by default in PHP.  It is commonly 
used by a number of PHP based web services.  If the internal function was made 
to avoid the use of bash, a reasonable SELinux security policy could be 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Daniel Walsh 2006-07-11 16:25:32 UTC
*** Bug 197628 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Walsh 2006-07-11 16:26:10 UTC
*** Bug 197629 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2006-07-11 16:26:48 UTC
Csn you give me the entire avc message(s)

Comment 4 Kirk Smith 2006-07-12 23:17:07 UTC
Jul  7 15:36:51 ns1 kernel: audit(1152304611.113:325): avc:  denied  { execute }
for  pid=3913 comm="httpd" name="bash" dev=dm-0 ino=10420294
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0

Comment 5 Daniel Walsh 2006-07-17 19:09:23 UTC
Does setting the httpd_ssi_exec boolean fix your problems?

setsebool-P httpd_ssi_exec=1

Comment 6 Kirk Smith 2006-07-17 19:32:11 UTC
Call me old fashioned, if you wish. The way PHP mail is implemented, it uses 
the PHP popen function, which executes bash with the command line.  The 
command line starts sendmail.  Remember that part of this command line is 
derived from user input.  I considered the security risk of bash and sendmail 
to both be unacceptable, and proceeded to come up with a workaround avoiding 
the php mail function altogether. I turned to the PEAR Mail stuff, and used 
the SMTP interface, which can connect to a specified host via SMTP to send 
mail from httpd.

In the end, PHP should avoiding using popen, and should implement a lower 
level exec of sendmail directly to limit the possible abuse of bash.
With that said, less paranoid types might like your suggested fix and I will 
get back to you later today with test results.

Note You need to log in before you can comment on or make changes to this bug.