Re: SELinux prevents my PHP script from sending mail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Thu, 2012-05-03 at 11:04 -0400, Daniel J Walsh wrote:
> On 05/03/2012 10:40 AM, Alan M. Evans wrote:
> > On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote:
> > 
> >> What AVC messages are you seeing?
> > 
> > None now, as I said. But before I applied the local policy, the denials 
> > were:
> > 
> > type=AVC msg=audit(1335990099.325:127749): avc:  denied  { getattr } for
> > pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php"
> > dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.326:127750): avc:  denied  { read } for  pid=17629
> > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.326:127750): avc:  denied  { open } for  pid=17629
> > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.326:127751): avc:  denied  { ioctl } for  pid=17629
> > comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1
> > ino=14811468 scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.346:127752): avc:  denied  { write } for  pid=17629
> > comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC
> > msg=audit(1335990099.346:127752): avc:  denied  { connectto } for
> > pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432"
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
> > 
> > I used these with audit2allow to make a local policy module. Since then, 
> > audit.log is completely silent when the script execution fails.

> An email comes in and this then executes a cgi script which connects to posgresql?

Yes. The DB that keeps the mailing list recipients is postgresql. I'm
not entirely certain how it got that far, given that sendmail was denied
read and open access on the script.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux