From Bernard Johnson: " audit(1178594537.211:25): avc: denied { name_connect } for pid=31565 comm="httpd" dest=143 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket Not sure why it says pop_port_t when I'm using imap but it will need to cover ports 25, 143, 389, 465, 587, 993. "
All mail ports are grouped under a single type name of pop_port_t. You need to turn on the policy boolean httpd_can_network_connect setsebool -P httpd_can_network_connect=1
Also you should install setroubleshoot. This would have given you an error message like Summary SELinux is preventing the http daemon from connecting to network port 143 Detailed Description SELinux has denied the http daemon from connecting to 143. An http script is trying to do a network connect to a remote port. If you did not setup httpd to network connections, this could signal a intrusion attempt. Allowing Access If you want httpd to connect to network ports you need to turn on the httpd_can_network_network_connect boolean: "setsebool -P httpd_can_network_connect=1" The following command will allow this access: setsebool -P httpd_can_network_connect=1 Additional Information Source Context user_u:system_r:httpd_t Target Context system_u:object_r:pop_port_t Target Objects None [ tcp_socket ] Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled Enforcing Mode Plugin Name plugins.httpd_can_network_connect Host Name Platform Alert Count 1 First Seen Mon May 7 23:22:17 2007 Last Seen Mon May 7 23:22:17 2007 Local ID 384d3a38-53db-419e-883c-6fea016f18c4 Line Numbers 1 Raw Audit Messages avc: denied { name_connect } for comm="httpd" dest=143 pid=31565 scontext=user_u:system_r:httpd_t:s0 tclass=tcp_socket tcontext=system_u:object_r:pop_port_t:s0
(In reply to comment #1) > All mail ports are grouped under a single type name of pop_port_t. You need to > turn on the policy boolean httpd_can_network_connect > > setsebool -P httpd_can_network_connect=1 Are you suggesting that we do that in %post and reverse it in %postun? If so, doesn't that break when multiple packages start using it? Or, are you suggesting to put in the the README for the package that those are required for the package to operate normally under selinux?
The problem I see here is that we don't have a transition from the httpd domain to some other domain. I guess that you are using some kind of mod_perl/mod_php/mod_python. So the address space is the same. If this was a separate cgi, we could write policy for your app, separate from http_t. Allowing httpd_t to connect to the network, opens you up to your web site being used as a launching site for attacks on other machines. In order to make this work we should add a new boolean httpd_can_send_mail, which you could turn on and this would allow httpd to connect to the mail server.
Adding policy like the following would satisfy your needs. tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) corenet_tcp_connect_pop_port(httpd_t) corenet_sendrecv_pop_client_packets(httpd_t) ') http can already connect to ldap ports.