Bug 207901 - PHP mail() fails with selinux errors
PHP mail() fails with selinux errors
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-25 04:57 EDT by Chris Jones
Modified: 2009-10-10 04:28 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-14 10:16:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Chris Jones 2006-09-25 04:57:31 EDT
Description of problem:
When useing exim as the MTA, useing the mail() function within selinux fails.

Version-Release number of selected component (if applicable):
selinux-policy-2.3.7-2.fc5
exim-4.62-2.fc5
php-5.1.4-1
httpd-2.2.2-1.2

How reproducible:
Always

Steps to Reproduce:
1. Have a php script calling mail()
2. Request the php script via apache
3. selinux errors
  
Actual results:
Mail not sent
Sep 25 09:56:11 silver kernel: audit(1159174571.853:6244): avc:  denied  {
setpgid } for  pid=7991 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:11 silver kernel: audit(1159174571.977:6245): avc:  denied  {
setpgid } for  pid=7996 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:12 silver kernel: audit(1159174572.009:6246): avc:  denied  {
setpgid } for  pid=7999 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:12 silver kernel: audit(1159174572.029:6247): avc:  denied  {
setpgid } for  pid=8002 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:12 silver kernel: audit(1159174572.049:6248): avc:  denied  {
setpgid } for  pid=8005 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:12 silver kernel: audit(1159174572.077:6249): avc:  denied  {
setpgid } for  pid=8008 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
Sep 25 09:56:12 silver kernel: audit(1159174572.093:6250): avc:  denied  {
setpgid } for  pid=8011 comm="exim"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process

Expected results:
No errors, and mail sent
Comment 1 Jeremy French 2006-09-30 09:50:44 EDT
This is not a bug, SeLinux is doing it's job. See
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 for details on how to
allow specific avc denies.
Comment 2 Chris Jones 2006-09-30 14:01:39 EDT
It is a bug. 

Its something that should 'just work' and doesn't.
Comment 3 Daniel Walsh 2006-10-02 14:30:53 EDT
If you chcon -t sendmail_exec_t /usr/sbin/exim  

Does it work?
Comment 4 Chris Jones 2006-10-06 09:42:42 EDT
It does not seem to.
Comment 5 Daniel Walsh 2007-02-14 10:16:31 EST
All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy
Comment 6 Milan Kerslager 2009-10-10 04:28:46 EDT
Just FYI: current SELinux implementation has a boolean to solve this problem:

setsebool -P httpd_can_sendmail=1

Note You need to log in before you can comment on or make changes to this bug.