Red Hat Bugzilla – Bug 428335
send mails denials for mantis package
Last modified: 2008-01-14 13:27:08 EST
The mantis package (it is a php based bug tracker application) needs to send mails with notifications about various events. All the three methods available for sending are blocked by SElinux :) 1. using the php mail() function avc: denied { execute } for comm=sh dev=dm-0 name=sendmail.sendmail pid=3624 scontext=unconfined_u:system_r:httpd_t:s0 tclass=file tcontext=system_u:object_r:sendmail_exec_t:s0 2. using sendmail avc: denied { execute } for comm=sh dev=dm-0 egid=48 euid=48 exe=/bin/bash exit=-13 fsgid=48 fsuid=48 gid=48 items=0 name=sendmail.sendmail pid=4231 scontext=unconfined_u:system_r:httpd_t:s0 sgid=48 subj=unconfined_u:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:sendmail_exec_t:s0 tty=(none) uid=48 3. using SMTP avc: denied { name_connect } for comm=httpd dest=25 pid=2692 scontext=unconfined_u:system_r:httpd_t:s0 tclass=tcp_socket tcontext=system_u:object_r:smtp_port_t:s0 any help appreciated...
You need to turn on the boolean httpd_can_sendmail setsebool -P httpd_can_sendmail=1
Is "you" the final user or I can add that that command to package %post ? Does that also cover case 3 above? Anyway, thanks for the prompt reply
Yes. It will cover all three. If your package requires this, yes you can put it in your post install. selinuxenabled && setsebool -P httpd_can_sendmail=1 The problem is that you can not turn it off when you remove your package. Allowing http to send mail, open http up to potential worm attacks/spam vulnerabilities. So having a separate cgi would work better. But since your app is written in mod_php, that is all we have.