SELinux Errors when a PHP program attempts to send out email
 

I am working on my church's web server. They want to have a feedback area that will send out an email with user comments. I found several programs that will do the job (all of then use the "mail" command.

The problem arises accessing sendmail through the httpd. When the scripts are executed SELinus prevents access to the files in /etc/mail (sendmail.cf, trusted-users, submit.cf, etc.) SELinux suggest that I do a
chcon -t httpd_sys_content_t xxfilenamexx to each of the files. If I do that then the command line program "mail" will start to generate SELinux errors and suggest that I restore the files (etc_mail_t). Now I am at a loss since I need to have the command line mail work and the httpd feedback PHP program work.

Any suggestions.

Thanks Sam

(which are of domain httpd_t)


which are in etc_mail_t like it said.


Sounds like you need a local policy addition reading something like:
but this should come from you running and reviewing output of "audit2allow".

I ran audit2allow -a and received the following output:

#============= httpd_t ==============
allow httpd_t etc_mail_t:dir { search getattr };
allow httpd_t etc_mail_t:file getattr;
allow httpd_t mqueue_spool_t:dir search;
allow httpd_t unconfined_home_t:file getattr;

#============= pam_console_t ==============
allow pam_console_t device_t:file getattr;

#============= sendmail_t ==============
allow sendmail_t httpd_sys_content_t:dir { search getattr };

I think you hit on the problem. Now I have to look into creating the local policy.

Only now I am questioning the two additional in the httpd_t secetion and the others. What are they indicating?

Sam

'ls -alZ /var/spool'


No idea.


I like to keep my policy in /etc/selinux/targeted/modules/active but you can place it anywhere: