[CentOS] SELinux prevents my PHP script from sending mail
Daniel J Walsh
dwalsh at redhat.com
Thu May 3 14:19:30 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/03/2012 10:02 AM, Alan M. Evans wrote:
> On Thu, 2012-05-03 at 06:54 -0700, Alan M. Evans wrote:
>> On Thu, 2012-05-03 at 10:33 +0100, Colin Coles wrote:
>>> On Wednesday 02 May 2012, Alan M. Evans wrote:
>>>> Hello all...
>>>>
>>>> I maintain an amateurish email list for my wife's website on my
>>>> CentOS 6 server. Once-a-month, she sends mail to
>>>> "mylistaddr at mydomain.com" and the /etc/aliases file redirects that to
>>>> my script:
>>>>
>>>> mylistaddr: "| /usr/bin/php-cgi
>>>> /var/www/html/mydomain/email-cgi.php"
>>>>
>>>> The script, in turn, reads the recipient addresses out of a DB and
>>>> composes and sends the mails. This all worked great until this
>>>> month's mailing.
>>>>
>>>> Now sendmail just bounces the mail back "554 5.3.0 unknown mailer
>>>> error 255". When I see programs complaining about "unknown"
>>>> conditions, I usually suspect SELinux first, and sure enough...
>>>>
>>>> setenforce 0
>>>>
>>>> then everything works like a charm. I wonder what changed between
>>>> last month and this month?
>>>>
>>>> Anyway, I checked the audit.log file and found the relevant AVC
>>>> denials. I created a local policy (audit2allow) to circumvent the
>>>> denials, which helpfully prevented the denial messages in audit.log.
>>>> But the maillist script still fails identically as long as SELinux is
>>>> enforcing. And now nothing shows up in audit.log.
>>>>
>>>> So SELinux is preventing sendmail from calling my maillist script
>>>> and not reporting the reason. How do I go about figuring out what's
>>>> broken and how to fix it?
>>>
>>> Do you have the httpd_can_sendmail boolean on?
>>
>> Yes.
>
> Actually, just looking at my own description and I realize that the subject
> should read that SELinux is preventing my script from *receiving* mail, not
> sending mail. Various scripts on the site send mail all the time with no
> problem. It's the execution (via the aliases file) of email-cgi.php that
> fails.
>
> -Alan
>
>
> _______________________________________________ CentOS mailing list
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
What AVC messages are you seeing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+ik/IACgkQrlYvE4MpobP4xACghLKXTF4anbHyWXRLAuxbOKnw
+dYAoKAHJnw2tnGvpWgEAAuw+FVIanxE
=9s7r
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list