httpd can't send mails

[Shintaro Fujiwara]

> dragoran wrote:
> > Shintaro Fujiwara wrote:
> >>> I tryed to send mails using a php scripts that calls mail() but when
> >>>     
> >> I  
> >>> do it I get this avc:
> >>> audit(1183392777.651:14): avc:  denied  { read } for  pid=25048 
> >>> comm="sendmail" name="[79366]" dev=eventpollfs ino=79366 
> >>> scontext=user_u:system_r:system_mail_t:s0 
> >>> tcontext=user_u:system_r:httpd_t:s0 tclass=file
> >>> the boolean "httpd_can_sendmail" is enabled (true).
> >>> I restarted the httpd and sendmail service after doing so... but
> >>>     
> >> still  
> >>> no success.
> >>> Any ideas?
> >>>     
> >>
> >> Hi,
> >>
> >> Why don't you edit policy and update them ?
> >> Maybe you can do it edditing a few files, and
> >> typing several commands.
> >>
> >> If you using postfix, here's what I did.
> >> I made interface for postfix.
> >>
> >> ########################################
> >> ## <summary>
> >> ##      for xoops sending mail from postfix.
> >> ## </summary>
> >> ## <param name="domain">
> >> ##      Domain allowed to sending mails.
> >> ## </param>
> >> #
> >>
> >> interface(`xoops_send_mail_by_postfix',`
> >>         gen_require(`
> >>                 type bin_t;
> >>                 type smtp_port_t;
> >>                 type sendmail_exec_t;
> >>         ')
> >>         allow $1 bin_t:dir search;
> >>         allow $1 smtp_port_t:tcp_socket { name_connect send_msg
> >> recv_msg };
> >>         allow $1 sendmail_exec_t:file { execute execute_no_trans getattr
> >> read };
> >> ')
> >>
> >>
> >> 1. I downloaded source of refpolicy.
> >> 2. I copied postfix ones and apache ones to /usr/share/selinux/devel.
> >> 3. I edited first line of postfix.te so that the version number becoming
> >> larger than the original one.
> >> 4. I added above interface to postfix.if.
> >> 5. I added xoops_send_mail_by_postfix(httpd_t) to apache.te and also
> >> edited first line like postfix.
> >> 6. #make clean
> >> 7. #make
> >> 8. #semodule -u postfix.pp
> >> 9. #semodule -u apache.pp
> >>
> >>   
> > did this fix this kind of avcs for you?
> What platform and what version of policy.  Current policy looks like it 
> has these rules.
> >
> > -- 
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 

Oh, I'm now using,

selinux-policy-strict-2.4.6-13.fc6

on FC6 server.
I'm now converting my own policies to F7.

You are right.
You guys made much progress on that.
I will check if I can send mail from PHP script,
without any errors on F7.

I'm always relying on Dan's page, of course.
Thanks !
Hey, we're having SELinux meeting in Japan, tomorrow.


Hi, dragoran,

Oh, system_mail_t ...
That is not my case but I think it's close.
Why don't you relabel your mail-agent's exec file to bin_t.