Re: [CentOS] SELinux prevents my PHP script from sending mail

Thu, 03 May 2012 08:33:38 -0700 

On Thu, 2012-05-03 at 11:04 -0400, Daniel J Walsh wrote:
> On 05/03/2012 10:40 AM, Alan M. Evans wrote:
> > On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote:
> > 
> >> What AVC messages are you seeing?
> > 
> > None now, as I said. But before I applied the local policy, the denials 
> > were:
> > 
> > type=AVC msg=audit(1335990099.325:127749): avc:  denied  { getattr } for
> > pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php"
> > dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.326:127750): avc:  denied  { read } for  pid=17629
> > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.326:127750): avc:  denied  { open } for  pid=17629
> > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.326:127751): avc:  denied  { ioctl } for  pid=17629
> > comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1
> > ino=14811468 scontext=system_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC
> > msg=audit(1335990099.346:127752): avc:  denied  { write } for  pid=17629
> > comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC
> > msg=audit(1335990099.346:127752): avc:  denied  { connectto } for
> > pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432"
> > scontext=system_u:system_r:sendmail_t:s0
> > tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
> > 
> > I used these with audit2allow to make a local policy module. Since then, 
> > audit.log is completely silent when the script execution fails.

> An email comes in and this then executes a cgi script which connects to 
> posgresql?

Yes. The DB that keeps the mailing list recipients is postgresql. I'm
not entirely certain how it got that far, given that sendmail was denied
read and open access on the script.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Reply via email to