On Thu, Dec 29, 2011 at 12:15:46AM +0000, Paul Howarth wrote: > On Wed, 28 Dec 2011 18:04:30 -0500 > Edward Ned Harvey <selinuxadmin@xxxxxxxxxxxxxxx> wrote: > > > How can this happen? It's getting denied, but not appearing in > > either the audit log or the messages file. Running Centos 6 fully > > updated, php (drupal) inside of httpd tries to send mail via postfix > > (postdrop). > > > > > > > > When I have setenforce 0, the mail goes through. No errors in any > > logs (audit.log, error_log, messages) > > > > When I have setenforce 1, the mail gets blocked. I get this message > > in httpd error_log: > > > > sendmail: fatal: execvp /usr/sbin/postdrop: Permission > > denied > > > > sendmail: warning: command "/usr/sbin/postdrop -r" exited with status > > 1 > > > > sendmail: fatal: email@xxxxxxxxxxx(48): unable to > > execute /usr/sbin/postdrop -r: Success > > > > > > > > I have auditd running. In fact, I regularly use audit2allow to > > create allow policies on this machine. So I can confidently say > > normally my selinux denials get logged in the audit.log. I am at a > > loss to think of any reason this particular failure is not getting > > logged the same way my other error messages usually get logged. > > > > > > > > I believe I can write a custom allow script by hand, but I believe I > > probably shouldn't, or if I try, it will fail for some reason. > > > > > > > > Thanks for your help... > > The denials you're getting are probably being dontaudit-ed. See: > > http://danwalsh.livejournal.com/11673.html ... try to find a selinux errors: grep -i err /var/log/audit/audit.log or switch noaudit off: semodule -BD Regards Adam Przybyla -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
