[CentOS] CentOS 5.2 + SELinux + Apache/PHP + Postfix

[А. Кириллов]

> I'm running CentOS 5.2 with SELinux in enforcing mode (default
> targeted policy). The server hosts a PHP web app that sends mail. I'm
> getting the following errors (see end of message) in my selinux
> audit.log file every time the app sends an email. The email always
> seems to get sent successfully, despite the log messages. However,
> they do concern me and I would like to understand what they mean and
> why they occur.
> 
> The first set of messages seems to relate to postfix being denied
> attempts to create/read/write a temporary file in Apache's context. In
> the second set, it seems to postdrop is attempting to do something
> with apache's error log file.
> 
> Can anyone help make sense of this? I know I can create policy rules
> to allow these actions. But I don't want to do that without
> understanding the implications. For reference, audit2allow suggests
> the following policy additions:
> 
> #============= postfix_postdrop_t ==============
> allow postfix_postdrop_t httpd_log_t:file getattr;
> 
> #============= system_mail_t ==============
> allow system_mail_t httpd_t:file read;
> allow system_mail_t httpd_tmp_t:file { read write };
> 
> Any help greatly appreciated.

If these denials do not interfere with the normal workflow
of the application you may add dontaudit rules to your local policy.
The unnecessary access will still be denied but you won't get
these annoying messages in the logs.

There's a plenty of dontaudit rules in the base policy
shipped with centos. If you're curious you may install
/usr/share/selinux/targeted/enableaudit.pp
which is a base policy with dontaudit rules turned off.

This short article by Dan Walsh might be useful:
http://danwalsh.livejournal.com/11673.html

HTH