[CentOS] SELinux prevents my PHP script from sending mail

Alan M. Evans ame1 at extratech.com
Thu May 3 15:33:12 UTC 2012


On Thu, 2012-05-03 at 11:04 -0400, Daniel J Walsh wrote:
> On 05/03/2012 10:40 AM, Alan M. Evans wrote:
> > On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote:
> > 
> >> What AVC messages are you seeing?
> > 
> > None now, as I said. But before I applied the local policy, the denials 
> > were:
> > 
> > type=AVC msg=audit(1335990099.325:127749): avc:  denied  { getattr } for
> > pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php"
> > dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.326:127750): avc:  denied  { read } for  pid=17629
> > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.326:127750): avc:  denied  { open } for  pid=17629
> > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.326:127751): avc:  denied  { ioctl } for  pid=17629
> > comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1
> > ino=14811468 scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.346:127752): avc:  denied  { write } for  pid=17629
> > comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC
> > msg=audit(1335990099.346:127752): avc:  denied  { connectto } for
> > pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432"
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
> > 
> > I used these with audit2allow to make a local policy module. Since then, 
> > audit.log is completely silent when the script execution fails.

> An email comes in and this then executes a cgi script which connects to posgresql?

Yes. The DB that keeps the mailing list recipients is postgresql. I'm
not entirely certain how it got that far, given that sendmail was denied
read and open access on the script.





More information about the CentOS mailing list