Bug 207901 - PHP mail() fails with selinux errors
Summary: PHP mail() fails with selinux errors
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 5
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-09-25 08:57 UTC by Chris Jones
Modified: 2009-10-10 08:28 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-02-14 15:16:31 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Chris Jones 2006-09-25 08:57:31 UTC 
Description of problem:
When useing exim as the MTA, useing the mail() function within selinux fails.

Version-Release number of selected component (if applicable):
selinux-policy-2.3.7-2.fc5
exim-4.62-2.fc5
php-5.1.4-1
httpd-2.2.2-1.2

How reproducible:
Always

Steps to Reproduce:
1. Have a php script calling mail()
2. Request the php script via apache
3. selinux errors
  
Actual results:
Mail not sent
Sep 25 09:56:11 silver kernel: audit(1159174571.853:6244): avc:  denied  {
setpgid } for  pid=7991 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:11 silver kernel: audit(1159174571.977:6245): avc:  denied  {
setpgid } for  pid=7996 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:12 silver kernel: audit(1159174572.009:6246): avc:  denied  {
setpgid } for  pid=7999 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:12 silver kernel: audit(1159174572.029:6247): avc:  denied  {
setpgid } for  pid=8002 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:12 silver kernel: audit(1159174572.049:6248): avc:  denied  {
setpgid } for  pid=8005 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:12 silver kernel: audit(1159174572.077:6249): avc:  denied  {
setpgid } for  pid=8008 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:12 silver kernel: audit(1159174572.093:6250): avc:  denied  {
setpgid } for  pid=8011 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process

Expected results:
No errors, and mail sent
Comment 1 Jeremy French 2006-09-30 13:50:44 UTC 
This is not a bug, SeLinux is doing it's job. See
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 for details on how to
allow specific avc denies.
Comment 2 Chris Jones 2006-09-30 18:01:39 UTC 
It is a bug. 

Its something that should 'just work' and doesn't.
Comment 3 Daniel Walsh 2006-10-02 18:30:53 UTC 
If you chcon -t sendmail_exec_t /usr/sbin/exim  

Does it work?
Comment 4 Chris Jones 2006-10-06 13:42:42 UTC 
It does not seem to.
Comment 5 Daniel Walsh 2007-02-14 15:16:31 UTC 
All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy
Comment 6 Milan Kerslager 2009-10-10 08:28:46 UTC 
Just FYI: current SELinux implementation has a boolean to solve this problem:

setsebool -P httpd_can_sendmail=1
Note You need to log in before you can comment on or make changes to this bug.