LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices


Reply
  Search this Thread
Old 02-27-2008, 04:43 PM   #1
poorboyiii
LQ Newbie
 
Registered: Feb 2007
Location: Joliet/Plainfield Illinois
Distribution: Ubuntu
Posts: 19

Rep: Reputation: 0
SELinux Errors when a PHP program attempts to send out email


I am working on my church's web server. They want to have a feedback area that will send out an email with user comments. I found several programs that will do the job (all of then use the "mail" command.

The problem arises accessing sendmail through the httpd. When the scripts are executed SELinus prevents access to the files in /etc/mail (sendmail.cf, trusted-users, submit.cf, etc.) SELinux suggest that I do a
chcon -t httpd_sys_content_t xxfilenamexx to each of the files. If I do that then the command line program "mail" will start to generate SELinux errors and suggest that I restore the files (etc_mail_t). Now I am at a loss since I need to have the command line mail work and the httpd feedback PHP program work.

Any suggestions.

Thanks Sam
 
Old 02-27-2008, 07:12 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by poorboyiii View Post
The problem arises accessing sendmail through the httpd.
(which are of domain httpd_t)


Quote:
Originally Posted by poorboyiii View Post
When the scripts are executed SELinux prevents access to the files in /etc/mail
which are in etc_mail_t like it said.


Sounds like you need a local policy addition reading something like:
Code:
#============= httpd_t ==============
allow httpd_t etc_mail_t:dir { read search getattr };
allow httpd_t etc_mail_t:file { read getattr };
but this should come from you running and reviewing output of "audit2allow".
 
Old 02-28-2008, 08:28 AM   #3
poorboyiii
LQ Newbie
 
Registered: Feb 2007
Location: Joliet/Plainfield Illinois
Distribution: Ubuntu
Posts: 19

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
(which are of domain httpd_t)

Sounds like you need a local policy addition reading something like:
Code:
#============= httpd_t ==============
allow httpd_t etc_mail_t:dir { read search getattr };
allow httpd_t etc_mail_t:file { read getattr };
but this should come from you running and reviewing output of "audit2allow".
I ran audit2allow -a and received the following output:

#============= httpd_t ==============
allow httpd_t etc_mail_t:dir { search getattr };
allow httpd_t etc_mail_t:file getattr;
allow httpd_t mqueue_spool_t:dir search;
allow httpd_t unconfined_home_t:file getattr;

#============= pam_console_t ==============
allow pam_console_t device_t:file getattr;

#============= sendmail_t ==============
allow sendmail_t httpd_sys_content_t:dir { search getattr };


I think you hit on the problem. Now I have to look into creating the local policy.

Only now I am questioning the two additional in the httpd_t secetion and the others. What are they indicating?

Sam
 
Old 02-28-2008, 06:18 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by poorboyiii View Post
allow httpd_t mqueue_spool_t:dir search;
'ls -alZ /var/spool'


Quote:
Originally Posted by poorboyiii View Post
allow httpd_t unconfined_home_t:file getattr;
No idea.


Quote:
Originally Posted by poorboyiii View Post
I think you hit on the problem. Now I have to look into creating the local policy.
I like to keep my policy in /etc/selinux/targeted/modules/active but you can place it anywhere:
Code:
cd /etc/selinux/targeted/modules/active
pol="local"
( cat /var/log/audit/audit.log; cat /var/log/messages ) audit2allow -M ${pol}
checkmodule -M -m -o ${pol}.mod ${pol}.te
semodule_package -o ${pol}.pp -m ${pol}.mod
semodule -i ${pol}.pp
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
php script don't send email with qmail pk_kala Linux - Server 8 05-02-2009 08:33 AM
A program to automatically send email to some user Peter_APIIT Linux - General 5 12-17-2007 04:37 AM
SELinux denies access - Can't send my first email ElijahDaniel Linux - Security 2 12-17-2007 01:48 AM
I need to send email from PHP - How can I do this easily? wadesmart Ubuntu 6 07-06-2006 03:15 AM
Send errors via PHP RodimusProblem Programming 1 02-07-2005 09:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora

All times are GMT -5. The time now is 01:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration