Description of problem: When useing exim as the MTA, useing the mail() function within selinux fails. Version-Release number of selected component (if applicable): selinux-policy-2.3.7-2.fc5 exim-4.62-2.fc5 php-5.1.4-1 httpd-2.2.2-1.2 How reproducible: Always Steps to Reproduce: 1. Have a php script calling mail() 2. Request the php script via apache 3. selinux errors Actual results: Mail not sent Sep 25 09:56:11 silver kernel: audit(1159174571.853:6244): avc: denied { setpgid } for pid=7991 comm="exim" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process Sep 25 09:56:11 silver kernel: audit(1159174571.977:6245): avc: denied { setpgid } for pid=7996 comm="exim" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process Sep 25 09:56:12 silver kernel: audit(1159174572.009:6246): avc: denied { setpgid } for pid=7999 comm="exim" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process Sep 25 09:56:12 silver kernel: audit(1159174572.029:6247): avc: denied { setpgid } for pid=8002 comm="exim" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process Sep 25 09:56:12 silver kernel: audit(1159174572.049:6248): avc: denied { setpgid } for pid=8005 comm="exim" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process Sep 25 09:56:12 silver kernel: audit(1159174572.077:6249): avc: denied { setpgid } for pid=8008 comm="exim" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process Sep 25 09:56:12 silver kernel: audit(1159174572.093:6250): avc: denied { setpgid } for pid=8011 comm="exim" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process Expected results: No errors, and mail sent
This is not a bug, SeLinux is doing it's job. See http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 for details on how to allow specific avc denies.
It is a bug. Its something that should 'just work' and doesn't.
If you chcon -t sendmail_exec_t /usr/sbin/exim Does it work?
It does not seem to.
All of these bugs should be fixed in FC6, You could attempt to use the FC6 policy on FC5 or upgrade. Or you could use audit2allow -M mypolicy -i /var/log/audit/audit.log and build local customized policy
Just FYI: current SELinux implementation has a boolean to solve this problem: setsebool -P httpd_can_sendmail=1