[CentOS] SELinux prevents my PHP script from sending mail

Thu May 3 14:19:30 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2012 10:02 AM, Alan M. Evans wrote:
> On Thu, 2012-05-03 at 06:54 -0700, Alan M. Evans wrote:
>> On Thu, 2012-05-03 at 10:33 +0100, Colin Coles wrote:
>>> On Wednesday 02 May 2012, Alan M. Evans wrote:
>>>> Hello all...
>>>> 
>>>> I maintain an amateurish email list for my wife's website on my
>>>> CentOS 6 server. Once-a-month, she sends mail to
>>>> "mylistaddr at mydomain.com" and the /etc/aliases file redirects that to
>>>> my script:
>>>> 
>>>> mylistaddr: "| /usr/bin/php-cgi
>>>> /var/www/html/mydomain/email-cgi.php"
>>>> 
>>>> The script, in turn, reads the recipient addresses out of a DB and 
>>>> composes and sends the mails. This all worked great until this
>>>> month's mailing.
>>>> 
>>>> Now sendmail just bounces the mail back "554 5.3.0 unknown mailer
>>>> error 255". When I see programs complaining about "unknown"
>>>> conditions, I usually suspect SELinux first, and sure enough...
>>>> 
>>>> setenforce 0
>>>> 
>>>> then everything works like a charm. I wonder what changed between
>>>> last month and this month?
>>>> 
>>>> Anyway, I checked the audit.log file and found the relevant AVC
>>>> denials. I created a local policy (audit2allow) to circumvent the
>>>> denials, which helpfully prevented the denial messages in audit.log.
>>>> But the maillist script still fails identically as long as SELinux is
>>>> enforcing. And now nothing shows up in audit.log.
>>>> 
>>>> So SELinux is preventing sendmail from calling my maillist script
>>>> and not reporting the reason. How do I go about figuring out what's
>>>> broken and how to fix it?
>>> 
>>> Do you have the httpd_can_sendmail boolean on?
>> 
>> Yes.
> 
> Actually, just looking at my own description and I realize that the subject
> should read that SELinux is preventing my script from *receiving* mail, not
> sending mail. Various scripts on the site send mail all the time with no
> problem. It's the execution (via the aliases file) of email-cgi.php that
> fails.
> 
> -Alan
> 
> 
> _______________________________________________ CentOS mailing list 
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos

What AVC messages are you seeing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+ik/IACgkQrlYvE4MpobP4xACghLKXTF4anbHyWXRLAuxbOKnw
+dYAoKAHJnw2tnGvpWgEAAuw+FVIanxE
=9s7r
-----END PGP SIGNATURE-----