Alan M. Evans
2012-May-02 21:36 UTC
[CentOS] SELinux prevents my PHP script from sending mail
Hello all... I maintain an amateurish email list for my wife's website on my CentOS 6 server. Once-a-month, she sends mail to "mylistaddr at mydomain.com" and the /etc/aliases file redirects that to my script: mylistaddr: "| /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php" The script, in turn, reads the recipient addresses out of a DB and composes and sends the mails. This all worked great until this month's mailing. Now sendmail just bounces the mail back "554 5.3.0 unknown mailer error 255". When I see programs complaining about "unknown" conditions, I usually suspect SELinux first, and sure enough... setenforce 0 then everything works like a charm. I wonder what changed between last month and this month? Anyway, I checked the audit.log file and found the relevant AVC denials. I created a local policy (audit2allow) to circumvent the denials, which helpfully prevented the denial messages in audit.log. But the maillist script still fails identically as long as SELinux is enforcing. And now nothing shows up in audit.log. So SELinux is preventing sendmail from calling my maillist script and not reporting the reason. How do I go about figuring out what's broken and how to fix it? -Alan
Colin Coles
2012-May-03 09:33 UTC
[CentOS] SELinux prevents my PHP script from sending mail
On Wednesday 02 May 2012, Alan M. Evans wrote:> Hello all... > > I maintain an amateurish email list for my wife's website on my CentOS 6 > server. Once-a-month, she sends mail to "mylistaddr at mydomain.com" and > the /etc/aliases file redirects that to my script: > > mylistaddr: "| /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php" > > The script, in turn, reads the recipient addresses out of a DB and > composes and sends the mails. This all worked great until this month's > mailing. > > Now sendmail just bounces the mail back "554 5.3.0 unknown mailer error > 255". When I see programs complaining about "unknown" conditions, I > usually suspect SELinux first, and sure enough... > > setenforce 0 > > then everything works like a charm. I wonder what changed between last > month and this month? > > Anyway, I checked the audit.log file and found the relevant AVC denials. > I created a local policy (audit2allow) to circumvent the denials, which > helpfully prevented the denial messages in audit.log. But the maillist > script still fails identically as long as SELinux is enforcing. And now > nothing shows up in audit.log. > > So SELinux is preventing sendmail from calling my maillist script and > not reporting the reason. How do I go about figuring out what's broken > and how to fix it?Do you have the httpd_can_sendmail boolean on?