apache denied access to sendmail

Amin Astaneh aastaneh at cmax2.com
Tue Sep 27 17:18:36 UTC 2005


System: Fedora Core 3, current

I am using a trouble ticketing system written in PHP (phpSupport) which uses sendmail through
calling a perl script provided by the package. Every time phpSupport passes a mail request to
sendmail, this audit appears:

Sep 27 12:43:34 apache02 kernel: audit(1127839414.326:11): avc:  denied  { name_connect } for
pid=3948 comm="sendmail" dest=25 scontext=user_u:system_r:system_mail_t
tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket

In /var/log/maillog, sendmail logs this for the email transaction:

Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: from=apache, size=505, class=0,
nrcpts=1, msgid=<200509271643.j8RGhYfY003948 at apache02.qwik.net>, relay=apache at localhost

Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: to=aastaneh at cmax2.com, ctladdr=apache
(48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30505, relay=[] [],
dsn=4.0.0, stat=Deferred: Permission denied

I have already submitted a bug report https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168874
and this problem was fixed in FC4... with no real note of fixing it for FC3.

I have already did a touch /.autorelabel and rebooted, but to no avail..

The only fix is to take the results of audit2allow and recompile policy (which worked on my
development box).
I am a little wary of building policy from policy-sources on a production machine in order to
insert dontaudit rules to stop this denial.. is it possible to build policy on a development
server (with the exact architecture) and transplant it into the production machine? If so- what
procedure must I follow?

Are there any other solutions?

Amin Astaneh

More information about the fedora-selinux-list mailing list