I appreciate the hints. I used audit2allow (a really slick tool), and it generated so many permissions that I figured there must be a better way. I think I found it. I decided to try and make httpd_sys_script transition to run in the mta role. I created the file /etc/selinux/targeted/src/policy/domains/misc/local.te, and gave it these contents:
# Allow httpd to transition to mta domain # For PHP to be able to send email domain_auto_trans(httpd_sys_script_t, sendmail_exec_t, system_mail_t); I did a: # make reload # chcon -t sendmail_exec_t /usr/bin/sendmail.postfix And most of my errors have disappeared. The remaining errors seem to be caused by all the postfix files having the wrong security context. When I run restorecon they all go back to system_u:object_r:sbin_t. Google pointed me to this URL: https://www.redhat.com/archives/fedora-selinux-list/2004-December/msg00033.html where someone had the exact same problem, and the Red Hat engineer said that it was fixed in policy 1.17.30-2.41. I am running selinux-policy-targeted-1.17.30-2.52.1 Any ideas? Richard Esplin On Wednesday 11 May 2005 19:39, Jordan Curzon wrote: > You may need to run restorecon to get postfix back to the right > context, but really that only has to do with operations on it, not by > it. You http_t context is missing privileges normally given to the > mail domain. <snip> > Run it in permisive mode and find the denys and > grant those to httpd_sys_script_t. There is a selinux program included > by default with the policy tools that will turn a log of deny messages > into a positive policy. > > Jordan Curzon > > On 5/11/05, Richard Esplin <[EMAIL PROTECTED]> wrote: > > I am running CentOS4, and I am trying to get the PHP mail() command to > > work. When I turn off SELinux enforcing, everything works fine. When > > SELinux is enforcing, the mail() command fails and I get these errors > > in /var/log/messages: > > <snip> > > > > Google suggests that this should work with policy.18. > > > > I have tried lots of things, including: > > yum install selinux-policy-targeted-sources > > load_policy /etc/selinux/targeted/policy/policy.18 > > chcon root:system_r:httpd_sys_script_t /usr/sbin/sendmail.postfix (I had > > to setenforce 0 before it would let me do this, and I tried this on lots > > of files before giving up) > > restorecon /usr/sbin/sendmail /usr/sbin/sendmail.postfix > > /etc/alternatives/mta > > > > I think it is interesting that /usr/sbin/sendmail.postfix has context > > system_u:object_r:sbin_t, instead of system_u:object_r:sendmail_exec_t as > > specified > > in /etc/selinux/targeted/src/policy/file_contexts/program/postfix.fc > > <snip> > > Richard Esplin <snip> .===================================. | This has been a P.L.U.G. mailing. | | Don't Fear the Penguin. | | IRC: #utah at irc.freenode.net | `==================================='
