Bug 197627 - php mail() function disabled by SELinux
php mail() function disabled by SELinux
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
: 197628 197629 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-04 19:30 EDT by Kirk Smith
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-11 15:16:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kirk Smith 2006-07-04 19:30:27 EDT
Description of problem:
Use of the mail function found in php does not send mail.  selinux reports a 
avc: denied { execute } .. comm="httpd" name="bash" .....
The mail() built-in function should work by default in PHP.  It is commonly 
used by a number of PHP based web services.  If the internal function was made 
to avoid the use of bash, a reasonable SELinux security policy could be 
written.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2006-07-11 12:25:32 EDT
*** Bug 197628 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2006-07-11 12:26:10 EDT
*** Bug 197629 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2006-07-11 12:26:48 EDT
Csn you give me the entire avc message(s)
Comment 4 Kirk Smith 2006-07-12 19:17:07 EDT
Jul  7 15:36:51 ns1 kernel: audit(1152304611.113:325): avc:  denied  { execute }
for  pid=3913 comm="httpd" name="bash" dev=dm-0 ino=10420294
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0
tclass=file
Comment 5 Daniel Walsh 2006-07-17 15:09:23 EDT
Does setting the httpd_ssi_exec boolean fix your problems?

setsebool-P httpd_ssi_exec=1
Comment 6 Kirk Smith 2006-07-17 15:32:11 EDT
Call me old fashioned, if you wish. The way PHP mail is implemented, it uses 
the PHP popen function, which executes bash with the command line.  The 
command line starts sendmail.  Remember that part of this command line is 
derived from user input.  I considered the security risk of bash and sendmail 
to both be unacceptable, and proceeded to come up with a workaround avoiding 
the php mail function altogether. I turned to the PEAR Mail stuff, and used 
the SMTP interface, which can connect to a specified host via SMTP to send 
mail from httpd.

In the end, PHP should avoiding using popen, and should implement a lower 
level exec of sendmail directly to limit the possible abuse of bash.
With that said, less paranoid types might like your suggested fix and I will 
get back to you later today with test results.

Note You need to log in before you can comment on or make changes to this bug.