Hello all...
I maintain an amateurish email list for my wife's website on my CentOS 6 server. Once-a-month, she sends mail to "mylistaddr@mydomain.com" and the /etc/aliases file redirects that to my script:
mylistaddr: "| /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php"
The script, in turn, reads the recipient addresses out of a DB and composes and sends the mails. This all worked great until this month's mailing.
Now sendmail just bounces the mail back "554 5.3.0 unknown mailer error 255". When I see programs complaining about "unknown" conditions, I usually suspect SELinux first, and sure enough...
setenforce 0
then everything works like a charm. I wonder what changed between last month and this month?
Anyway, I checked the audit.log file and found the relevant AVC denials. I created a local policy (audit2allow) to circumvent the denials, which helpfully prevented the denial messages in audit.log. But the maillist script still fails identically as long as SELinux is enforcing. And now nothing shows up in audit.log.
So SELinux is preventing sendmail from calling my maillist script and not reporting the reason. How do I go about figuring out what's broken and how to fix it?
-Alan
On Wednesday 02 May 2012, Alan M. Evans wrote:
Hello all...
I maintain an amateurish email list for my wife's website on my CentOS 6 server. Once-a-month, she sends mail to "mylistaddr@mydomain.com" and the /etc/aliases file redirects that to my script:
mylistaddr: "| /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php"
The script, in turn, reads the recipient addresses out of a DB and composes and sends the mails. This all worked great until this month's mailing.
Now sendmail just bounces the mail back "554 5.3.0 unknown mailer error 255". When I see programs complaining about "unknown" conditions, I usually suspect SELinux first, and sure enough...
setenforce 0
then everything works like a charm. I wonder what changed between last month and this month?
Anyway, I checked the audit.log file and found the relevant AVC denials. I created a local policy (audit2allow) to circumvent the denials, which helpfully prevented the denial messages in audit.log. But the maillist script still fails identically as long as SELinux is enforcing. And now nothing shows up in audit.log.
So SELinux is preventing sendmail from calling my maillist script and not reporting the reason. How do I go about figuring out what's broken and how to fix it?
Do you have the httpd_can_sendmail boolean on?
On Thu, 2012-05-03 at 10:33 +0100, Colin Coles wrote:
On Wednesday 02 May 2012, Alan M. Evans wrote:
Hello all...
I maintain an amateurish email list for my wife's website on my CentOS 6 server. Once-a-month, she sends mail to "mylistaddr@mydomain.com" and the /etc/aliases file redirects that to my script:
mylistaddr: "| /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php"
The script, in turn, reads the recipient addresses out of a DB and composes and sends the mails. This all worked great until this month's mailing.
Now sendmail just bounces the mail back "554 5.3.0 unknown mailer error 255". When I see programs complaining about "unknown" conditions, I usually suspect SELinux first, and sure enough...
setenforce 0
then everything works like a charm. I wonder what changed between last month and this month?
Anyway, I checked the audit.log file and found the relevant AVC denials. I created a local policy (audit2allow) to circumvent the denials, which helpfully prevented the denial messages in audit.log. But the maillist script still fails identically as long as SELinux is enforcing. And now nothing shows up in audit.log.
So SELinux is preventing sendmail from calling my maillist script and not reporting the reason. How do I go about figuring out what's broken and how to fix it?
Do you have the httpd_can_sendmail boolean on?
Yes.
On Thu, 2012-05-03 at 06:54 -0700, Alan M. Evans wrote:
On Thu, 2012-05-03 at 10:33 +0100, Colin Coles wrote:
On Wednesday 02 May 2012, Alan M. Evans wrote:
Hello all...
I maintain an amateurish email list for my wife's website on my CentOS 6 server. Once-a-month, she sends mail to "mylistaddr@mydomain.com" and the /etc/aliases file redirects that to my script:
mylistaddr: "| /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php"
The script, in turn, reads the recipient addresses out of a DB and composes and sends the mails. This all worked great until this month's mailing.
Now sendmail just bounces the mail back "554 5.3.0 unknown mailer error 255". When I see programs complaining about "unknown" conditions, I usually suspect SELinux first, and sure enough...
setenforce 0
then everything works like a charm. I wonder what changed between last month and this month?
Anyway, I checked the audit.log file and found the relevant AVC denials. I created a local policy (audit2allow) to circumvent the denials, which helpfully prevented the denial messages in audit.log. But the maillist script still fails identically as long as SELinux is enforcing. And now nothing shows up in audit.log.
So SELinux is preventing sendmail from calling my maillist script and not reporting the reason. How do I go about figuring out what's broken and how to fix it?
Do you have the httpd_can_sendmail boolean on?
Yes.
Actually, just looking at my own description and I realize that the subject should read that SELinux is preventing my script from *receiving* mail, not sending mail. Various scripts on the site send mail all the time with no problem. It's the execution (via the aliases file) of email-cgi.php that fails.
-Alan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/03/2012 10:02 AM, Alan M. Evans wrote:
On Thu, 2012-05-03 at 06:54 -0700, Alan M. Evans wrote:
On Thu, 2012-05-03 at 10:33 +0100, Colin Coles wrote:
On Wednesday 02 May 2012, Alan M. Evans wrote:
Hello all...
I maintain an amateurish email list for my wife's website on my CentOS 6 server. Once-a-month, she sends mail to "mylistaddr@mydomain.com" and the /etc/aliases file redirects that to my script:
mylistaddr: "| /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php"
The script, in turn, reads the recipient addresses out of a DB and composes and sends the mails. This all worked great until this month's mailing.
Now sendmail just bounces the mail back "554 5.3.0 unknown mailer error 255". When I see programs complaining about "unknown" conditions, I usually suspect SELinux first, and sure enough...
setenforce 0
then everything works like a charm. I wonder what changed between last month and this month?
Anyway, I checked the audit.log file and found the relevant AVC denials. I created a local policy (audit2allow) to circumvent the denials, which helpfully prevented the denial messages in audit.log. But the maillist script still fails identically as long as SELinux is enforcing. And now nothing shows up in audit.log.
So SELinux is preventing sendmail from calling my maillist script and not reporting the reason. How do I go about figuring out what's broken and how to fix it?
Do you have the httpd_can_sendmail boolean on?
Yes.
Actually, just looking at my own description and I realize that the subject should read that SELinux is preventing my script from *receiving* mail, not sending mail. Various scripts on the site send mail all the time with no problem. It's the execution (via the aliases file) of email-cgi.php that fails.
-Alan
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
What AVC messages are you seeing?
[ Sorry about the private message. Reply-to header wasn't set in your message. Resending to all... ]
On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote:
What AVC messages are you seeing?
None now, as I said. But before I applied the local policy, the denials were:
type=AVC msg=audit(1335990099.325:127749): avc: denied { getattr } for pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127750): avc: denied { read } for pid=17629 comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127750): avc: denied { open } for pid=17629 comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127751): avc: denied { ioctl } for pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.346:127752): avc: denied { write } for pid=17629 comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1335990099.346:127752): avc: denied { connectto } for pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
I used these with audit2allow to make a local policy module. Since then, audit.log is completely silent when the script execution fails.
-Alan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/03/2012 10:40 AM, Alan M. Evans wrote:
[ Sorry about the private message. Reply-to header wasn't set in your message. Resending to all... ]
On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote:
What AVC messages are you seeing?
None now, as I said. But before I applied the local policy, the denials were:
type=AVC msg=audit(1335990099.325:127749): avc: denied { getattr } for pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127750): avc: denied { read } for pid=17629 comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127750): avc: denied { open } for pid=17629 comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127751): avc: denied { ioctl } for pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.346:127752): avc: denied { write } for pid=17629 comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1335990099.346:127752): avc: denied { connectto } for pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
I used these with audit2allow to make a local policy module. Since then, audit.log is completely silent when the script execution fails.
-Alan
An email comes in and this then executes a cgi script which connects to posgresql?
On Thu, 2012-05-03 at 11:04 -0400, Daniel J Walsh wrote:
On 05/03/2012 10:40 AM, Alan M. Evans wrote:
On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote:
What AVC messages are you seeing?
None now, as I said. But before I applied the local policy, the denials were:
type=AVC msg=audit(1335990099.325:127749): avc: denied { getattr } for pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127750): avc: denied { read } for pid=17629 comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127750): avc: denied { open } for pid=17629 comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127751): avc: denied { ioctl } for pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.346:127752): avc: denied { write } for pid=17629 comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1335990099.346:127752): avc: denied { connectto } for pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
I used these with audit2allow to make a local policy module. Since then, audit.log is completely silent when the script execution fails.
An email comes in and this then executes a cgi script which connects to posgresql?
Yes. The DB that keeps the mailing list recipients is postgresql. I'm not entirely certain how it got that far, given that sendmail was denied read and open access on the script.
2012/5/3 Alan M. Evans ame1@extratech.com:
[ Sorry about the private message. Reply-to header wasn't set in your message. Resending to all... ]
On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote:
What AVC messages are you seeing?
None now, as I said. But before I applied the local policy, the denials were:
How about trying something like this:
su - useraccount-under-script-runs -s /bin/bash
and then run following commands:
/usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php or strace /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php
-- Eero
-
Alan M. Evans -
Colin Coles -
Daniel J Walsh -
Eero Volotinen