Bug 197627 – php mail() function disabled by SELinux

Bug 197627 - php mail() function disabled by SELinux

Summary:	php mail() function disabled by SELinux

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted (Show other bugs)
Sub Component:
Version:	5
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Duplicates:	197628 197629 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2006-07-04 19:30 EDT by Kirk Smith
Modified:	2007-11-30 17:11 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2006-08-11 15:16:45 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Kirk Smith 2006-07-04 19:30:27 EDT

Description of problem:
Use of the mail function found in php does not send mail.  selinux reports a 
avc: denied { execute } .. comm="httpd" name="bash" .....
The mail() built-in function should work by default in PHP.  It is commonly 
used by a number of PHP based web services.  If the internal function was made 
to avoid the use of bash, a reasonable SELinux security policy could be 
written.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2006-07-11 12:25:32 EDT

*** Bug 197628 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Walsh 2006-07-11 12:26:10 EDT

*** Bug 197629 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2006-07-11 12:26:48 EDT

Csn you give me the entire avc message(s)

Comment 4 Kirk Smith 2006-07-12 19:17:07 EDT

Jul  7 15:36:51 ns1 kernel: audit(1152304611.113:325): avc:  denied  { execute }
for  pid=3913 comm="httpd" name="bash" dev=dm-0 ino=10420294
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0
tclass=file

Comment 5 Daniel Walsh 2006-07-17 15:09:23 EDT

Does setting the httpd_ssi_exec boolean fix your problems?

setsebool-P httpd_ssi_exec=1

Comment 6 Kirk Smith 2006-07-17 15:32:11 EDT

Call me old fashioned, if you wish. The way PHP mail is implemented, it uses 
the PHP popen function, which executes bash with the command line.  The 
command line starts sendmail.  Remember that part of this command line is 
derived from user input.  I considered the security risk of bash and sendmail 
to both be unacceptable, and proceeded to come up with a workaround avoiding 
the php mail function altogether. I turned to the PEAR Mail stuff, and used 
the SMTP interface, which can connect to a specified host via SMTP to send 
mail from httpd.

In the end, PHP should avoiding using popen, and should implement a lower 
level exec of sendmail directly to limit the possible abuse of bash.
With that said, less paranoid types might like your suggested fix and I will 
get back to you later today with test results.

Note You need to log in before you can comment on or make changes to this bug.