[CentOS] SELinux prevents my PHP script from sending mail

Thu May 3 15:04:45 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2012 10:40 AM, Alan M. Evans wrote:
> [ Sorry about the private message. Reply-to header wasn't set in your 
> message. Resending to all... ]
> 
> On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote:
> 
>> What AVC messages are you seeing?
> 
> None now, as I said. But before I applied the local policy, the denials 
> were:
> 
> type=AVC msg=audit(1335990099.325:127749): avc:  denied  { getattr } for
> pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php"
> dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> msg=audit(1335990099.326:127750): avc:  denied  { read } for  pid=17629
> comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468
> scontext=system_u:system_r:sendmail_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> msg=audit(1335990099.326:127750): avc:  denied  { open } for  pid=17629
> comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468
> scontext=system_u:system_r:sendmail_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> msg=audit(1335990099.326:127751): avc:  denied  { ioctl } for  pid=17629
> comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1
> ino=14811468 scontext=system_u:system_r:sendmail_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> msg=audit(1335990099.346:127752): avc:  denied  { write } for  pid=17629
> comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267
> scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC
> msg=audit(1335990099.346:127752): avc:  denied  { connectto } for
> pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432"
> scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
> 
> I used these with audit2allow to make a local policy module. Since then, 
> audit.log is completely silent when the script execution fails.
> 
> -Alan
> 
> 
> 

An email comes in and this then executes a cgi script which connects to posgresql?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+ino0ACgkQrlYvE4MpobOnKACg5YDMt5YWy5oy0MgOS98E02HT
vI0AnipTxYI/CQFoDy7sCHRMqkyCXGI0
=/XtW
-----END PGP SIGNATURE-----