Bug 479821 - selinux preventing sendmail to read files targeted as httpd_t
selinux preventing sendmail to read files targeted as httpd_t
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Joe Orton
Depends On:
  Show dependency treegraph
Reported: 2009-01-13 07:14 EST by extremoburo
Modified: 2009-02-26 09:12 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-02-26 03:16:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description extremoburo 2009-01-13 07:14:18 EST
Description of problem:

type=AVC msg=audit(1231842874.365:12653): avc:  denied  { read } for  pid=16853 comm="sendmail" path="eventpoll:[2710364]" dev=eventpollfs ino=2710364 scontext=root:system_r:system_mail_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=file

I can solve it out with this custom policy:

require {
        type httpd_t;
        type system_mail_t;
        class file read;

#============= system_mail_t ==============
allow system_mail_t httpd_t:file read;

Version-Release number of selected component (if applicable):
postfix-2.3.3-2.1.el5_2 (sendmail.postfix)

Additional info:

OS: Centos 5.2
Comment 1 extremoburo 2009-01-13 07:15:29 EST
installed selinux: selinux-policy-2.4.6-137.1.el5
Comment 2 Daniel Walsh 2009-01-13 10:20:29 EST
This is pretty strange and I have never seen it before or in Fedora releases.  Probably is not blocking any thing of use,  Are you receiving email?
Comment 3 extremoburo 2009-01-13 11:02:42 EST
I've just set SElinux to enforce mode and it looks like no one is suffering because of that. I'll let you know any news
Comment 4 Asko Tontti 2009-02-22 16:39:38 EST
I have seen this with CentOS5. It seems that httpd is leaking file descriptors when it is forking sendmail.

type=AVC msg=audit(1235275202.224:934): avc:  denied  { read } for  pid=18556 comm="sendmail" path="eventpoll:[245714]" dev=eventpollfs ino=245714 scontext=system_u:system_r:system_mail_t:s0 tcontext=sys
tem_u:system_r:httpd_t:s0 tclass=file

lsof command shows
COMMAND     PID      USER   FD      TYPE             DEVICE       SIZE       NODE NAME
httpd      3194    apache   14r     0000               0,10          0     245714 eventpoll

so SELinux is preventing sendmail accessing httpd's eventpoll, which seems correct thing to do.
Comment 5 Joe Orton 2009-02-23 11:45:46 EST
From what are you invoking sendmail?  A php script?  Expected behaviour, if so.  (It's due to an impedance mismatch between the httpd API which prevents fd leaks, and the PHP code, which doesn't use it)
Comment 6 Asko Tontti 2009-02-25 13:20:16 EST
> From what are you invoking sendmail?

PHP program which uses PHPMailer. PHPMailer then runs sendmail with popen().
Comment 7 Joe Orton 2009-02-26 03:16:51 EST
Right, expected behaviour then, I'm afraid.

This should get fixed in some future release when O_CLOEXEC support is integrated properly into APR, but this is unlikely to be suitable to backport to RHEL5.
Comment 8 Daniel Walsh 2009-02-26 09:12:32 EST
Adding dontaudit to selinux-policy-2.4.6-216.el5

Note You need to log in before you can comment on or make changes to this bug.