PHP+Postfix+SELinux problems

[Richard Esplin]

I am running CentOS4, and I am trying to get the PHP mail() command to work. 
When I turn off SELinux enforcing, everything works fine. When SELinux is 
enforcing, the mail() command fails and I get these errors 
in /var/log/messages:

May 11 00:31:23 legolas kernel: audit(1115793083.119:0): avc:  denied  
{ create } for  pid=7498 exe=/usr/sbin/sendmail.postfix 
scontext=root:system_r:httpd_sys_script_t 
tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket
May 11 00:31:23 legolas kernel: audit(1115793083.130:0): avc:  denied  
{ search } for  pid=7498 exe=/usr/sbin/sendmail.postfix name=spool dev=md1 
ino=421860 scontext=root:system_r:httpd_sys_script_t 
tcontext=system_u:object_r:var_spool_t tclass=dir
May 11 00:31:23 legolas kernel: audit(1115793083.130:0): avc:  denied  
{ create } for  pid=7498 exe=/usr/sbin/sendmail.postfix 
scontext=root:system_r:httpd_sys_script_t 
tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket
May 11 00:31:24 legolas kernel: audit(1115793084.150:0): avc:  denied  
{ create } for  pid=7501 exe=/usr/sbin/sendmail.postfix 
scontext=root:system_r:httpd_sys_script_t 
tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket
May 11 00:31:24 legolas kernel: audit(1115793084.159:0): avc:  denied  
{ search } for  pid=7501 exe=/usr/sbin/sendmail.postfix name=spool dev=md1 
ino=421860 scontext=root:system_r:httpd_sys_script_t 
tcontext=system_u:object_r:var_spool_t tclass=dir
May 11 00:31:24 legolas kernel: audit(1115793084.160:0): avc:  denied  
{ create } for  pid=7501 exe=/usr/sbin/sendmail.postfix 
scontext=root:system_r:httpd_sys_script_t 
tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket

Google suggests that this should work with policy.18.

I have tried lots of things, including:
yum install selinux-policy-targeted-sources
load_policy /etc/selinux/targeted/policy/policy.18
chcon root:system_r:httpd_sys_script_t /usr/sbin/sendmail.postfix (I had to 
setenforce 0 before it would let me do this, and I tried this on lots of 
files before giving up)
restorecon /usr/sbin/sendmail /usr/sbin/sendmail.postfix /etc/alternatives/mta

I think it is interesting that /usr/sbin/sendmail.postfix has context 
system_u:object_r:sbin_t, instead of system_u:object_r:sendmail_exec_t as 
specified 
in /etc/selinux/targeted/src/policy/file_contexts/program/postfix.fc

I am enjoying the educational exercise, but I am stumped. Can anyone explain 
what is going on, and suggest other things that I should try?

Richard Esplin
.===================================.
| This has been a P.L.U.G. mailing. |
|      Don't Fear the Penguin.      |
|  IRC: #utah at irc.freenode.net   |
`==================================='