You may need to run restorecon to get postfix back to the right
context, but really that only has to do with operations on it, not by
it. You http_t context is missing privileges normally given to the
mail domain. httpd_sys_script_t needs:
create on tclass=unix_dgram_socket
search on tcontext=system_u:object_r:var_spool_t
If you are running in permisive and these are the only errors, then
that is all you need, otherwise you are in for a long trial and error
of granting one permission which only allows it to ask for the next
action that is denyed. Run it in permisive mode and find the denys and
grant those to httpd_sys_script_t. There is a selinux program included
by default with the policy tools that will turn a log of deny messages
into a positive policy.
Jordan Curzon
On 5/11/05, Richard Esplin <[EMAIL PROTECTED]> wrote:
> I am running CentOS4, and I am trying to get the PHP mail() command to work.
> When I turn off SELinux enforcing, everything works fine. When SELinux is
> enforcing, the mail() command fails and I get these errors
> in /var/log/messages:
>
> May 11 00:31:23 legolas kernel: audit(1115793083.119:0): avc: denied
> { create } for pid=7498 exe=/usr/sbin/sendmail.postfix
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket
> May 11 00:31:23 legolas kernel: audit(1115793083.130:0): avc: denied
> { search } for pid=7498 exe=/usr/sbin/sendmail.postfix name=spool dev=md1
> ino=421860 scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_spool_t tclass=dir
> May 11 00:31:23 legolas kernel: audit(1115793083.130:0): avc: denied
> { create } for pid=7498 exe=/usr/sbin/sendmail.postfix
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket
> May 11 00:31:24 legolas kernel: audit(1115793084.150:0): avc: denied
> { create } for pid=7501 exe=/usr/sbin/sendmail.postfix
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket
> May 11 00:31:24 legolas kernel: audit(1115793084.159:0): avc: denied
> { search } for pid=7501 exe=/usr/sbin/sendmail.postfix name=spool dev=md1
> ino=421860 scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_spool_t tclass=dir
> May 11 00:31:24 legolas kernel: audit(1115793084.160:0): avc: denied
> { create } for pid=7501 exe=/usr/sbin/sendmail.postfix
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket
>
> Google suggests that this should work with policy.18.
>
> I have tried lots of things, including:
> yum install selinux-policy-targeted-sources
> load_policy /etc/selinux/targeted/policy/policy.18
> chcon root:system_r:httpd_sys_script_t /usr/sbin/sendmail.postfix (I had to
> setenforce 0 before it would let me do this, and I tried this on lots of
> files before giving up)
> restorecon /usr/sbin/sendmail /usr/sbin/sendmail.postfix /etc/alternatives/mta
>
> I think it is interesting that /usr/sbin/sendmail.postfix has context
> system_u:object_r:sbin_t, instead of system_u:object_r:sendmail_exec_t as
> specified
> in /etc/selinux/targeted/src/policy/file_contexts/program/postfix.fc
>
> I am enjoying the educational exercise, but I am stumped. Can anyone explain
> what is going on, and suggest other things that I should try?
>
> Richard Esplin
> .===================================.
> | This has been a P.L.U.G. mailing. |
> | Don't Fear the Penguin. |
> | IRC: #utah at irc.freenode.net |
> `==================================='
>
.===================================.
| This has been a P.L.U.G. mailing. |
| Don't Fear the Penguin. |
| IRC: #utah at irc.freenode.net |
`==================================='
