Description of problem: Use of the mail function found in php does not send mail. selinux reports a avc: denied { execute } .. comm="httpd" name="bash" ..... The mail() built-in function should work by default in PHP. It is commonly used by a number of PHP based web services. If the internal function was made to avoid the use of bash, a reasonable SELinux security policy could be written. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
*** Bug 197628 has been marked as a duplicate of this bug. ***
*** Bug 197629 has been marked as a duplicate of this bug. ***
Csn you give me the entire avc message(s)
Jul 7 15:36:51 ns1 kernel: audit(1152304611.113:325): avc: denied { execute } for pid=3913 comm="httpd" name="bash" dev=dm-0 ino=10420294 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Does setting the httpd_ssi_exec boolean fix your problems? setsebool-P httpd_ssi_exec=1
Call me old fashioned, if you wish. The way PHP mail is implemented, it uses the PHP popen function, which executes bash with the command line. The command line starts sendmail. Remember that part of this command line is derived from user input. I considered the security risk of bash and sendmail to both be unacceptable, and proceeded to come up with a workaround avoiding the php mail function altogether. I turned to the PEAR Mail stuff, and used the SMTP interface, which can connect to a specified host via SMTP to send mail from httpd. In the end, PHP should avoiding using popen, and should implement a lower level exec of sendmail directly to limit the possible abuse of bash. With that said, less paranoid types might like your suggested fix and I will get back to you later today with test results.