Re: [CentOS] SELinux prevents my PHP script from sending mail
On Thu, 2012-05-03 at 11:04 -0400, Daniel J Walsh wrote: > On 05/03/2012 10:40 AM, Alan M. Evans wrote: > > On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote: > > > >> What AVC messages are you seeing? > > > > None now, as I said. But before I applied the local policy, the denials > > were: > > > > type=AVC msg=audit(1335990099.325:127749): avc: denied { getattr } for > > pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" > > dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > > msg=audit(1335990099.326:127750): avc: denied { read } for pid=17629 > > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 > > scontext=system_u:system_r:sendmail_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > > msg=audit(1335990099.326:127750): avc: denied { open } for pid=17629 > > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 > > scontext=system_u:system_r:sendmail_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > > msg=audit(1335990099.326:127751): avc: denied { ioctl } for pid=17629 > > comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 > > ino=14811468 scontext=system_u:system_r:sendmail_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > > msg=audit(1335990099.346:127752): avc: denied { write } for pid=17629 > > comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267 > > scontext=system_u:system_r:sendmail_t:s0 > > tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC > > msg=audit(1335990099.346:127752): avc: denied { connectto } for > > pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432" > > scontext=system_u:system_r:sendmail_t:s0 > > tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket > > > > I used these with audit2allow to make a local policy module. Since then, > > audit.log is completely silent when the script execution fails. > An email comes in and this then executes a cgi script which connects to > posgresql? Yes. The DB that keeps the mailing list recipients is postgresql. I'm not entirely certain how it got that far, given that sendmail was denied read and open access on the script. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux prevents my PHP script from sending mail
2012/5/3 Alan M. Evans : > [ Sorry about the private message. Reply-to header wasn't set in your > message. Resending to all... ] > > On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote: > >> What AVC messages are you seeing? > > None now, as I said. But before I applied the local policy, the denials > were: How about trying something like this: su - useraccount-under-script-runs -s /bin/bash and then run following commands: /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php or strace /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux prevents my PHP script from sending mail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/03/2012 10:40 AM, Alan M. Evans wrote: > [ Sorry about the private message. Reply-to header wasn't set in your > message. Resending to all... ] > > On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote: > >> What AVC messages are you seeing? > > None now, as I said. But before I applied the local policy, the denials > were: > > type=AVC msg=audit(1335990099.325:127749): avc: denied { getattr } for > pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" > dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > msg=audit(1335990099.326:127750): avc: denied { read } for pid=17629 > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 > scontext=system_u:system_r:sendmail_t:s0 > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > msg=audit(1335990099.326:127750): avc: denied { open } for pid=17629 > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 > scontext=system_u:system_r:sendmail_t:s0 > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > msg=audit(1335990099.326:127751): avc: denied { ioctl } for pid=17629 > comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 > ino=14811468 scontext=system_u:system_r:sendmail_t:s0 > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > msg=audit(1335990099.346:127752): avc: denied { write } for pid=17629 > comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267 > scontext=system_u:system_r:sendmail_t:s0 > tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC > msg=audit(1335990099.346:127752): avc: denied { connectto } for > pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432" > scontext=system_u:system_r:sendmail_t:s0 > tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket > > I used these with audit2allow to make a local policy module. Since then, > audit.log is completely silent when the script execution fails. > > -Alan > > > An email comes in and this then executes a cgi script which connects to posgresql? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+ino0ACgkQrlYvE4MpobOnKACg5YDMt5YWy5oy0MgOS98E02HT vI0AnipTxYI/CQFoDy7sCHRMqkyCXGI0 =/XtW -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux prevents my PHP script from sending mail
[ Sorry about the private message. Reply-to header wasn't set in your message. Resending to all... ] On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote: > What AVC messages are you seeing? None now, as I said. But before I applied the local policy, the denials were: type=AVC msg=audit(1335990099.325:127749): avc: denied { getattr } for pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127750): avc: denied { read } for pid=17629 comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127750): avc: denied { open } for pid=17629 comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127751): avc: denied { ioctl } for pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.346:127752): avc: denied { write } for pid=17629 comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1335990099.346:127752): avc: denied { connectto } for pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket I used these with audit2allow to make a local policy module. Since then, audit.log is completely silent when the script execution fails. -Alan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux prevents my PHP script from sending mail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/03/2012 10:02 AM, Alan M. Evans wrote: > On Thu, 2012-05-03 at 06:54 -0700, Alan M. Evans wrote: >> On Thu, 2012-05-03 at 10:33 +0100, Colin Coles wrote: >>> On Wednesday 02 May 2012, Alan M. Evans wrote: Hello all... I maintain an amateurish email list for my wife's website on my CentOS 6 server. Once-a-month, she sends mail to "mylista...@mydomain.com" and the /etc/aliases file redirects that to my script: mylistaddr: "| /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php" The script, in turn, reads the recipient addresses out of a DB and composes and sends the mails. This all worked great until this month's mailing. Now sendmail just bounces the mail back "554 5.3.0 unknown mailer error 255". When I see programs complaining about "unknown" conditions, I usually suspect SELinux first, and sure enough... setenforce 0 then everything works like a charm. I wonder what changed between last month and this month? Anyway, I checked the audit.log file and found the relevant AVC denials. I created a local policy (audit2allow) to circumvent the denials, which helpfully prevented the denial messages in audit.log. But the maillist script still fails identically as long as SELinux is enforcing. And now nothing shows up in audit.log. So SELinux is preventing sendmail from calling my maillist script and not reporting the reason. How do I go about figuring out what's broken and how to fix it? >>> >>> Do you have the httpd_can_sendmail boolean on? >> >> Yes. > > Actually, just looking at my own description and I realize that the subject > should read that SELinux is preventing my script from *receiving* mail, not > sending mail. Various scripts on the site send mail all the time with no > problem. It's the execution (via the aliases file) of email-cgi.php that > fails. > > -Alan > > > ___ CentOS mailing list > CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos What AVC messages are you seeing? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+ik/IACgkQrlYvE4MpobP4xACghLKXTF4anbHyWXRLAuxbOKnw +dYAoKAHJnw2tnGvpWgEAAuw+FVIanxE =9s7r -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux prevents my PHP script from sending mail
On Thu, 2012-05-03 at 06:54 -0700, Alan M. Evans wrote: > On Thu, 2012-05-03 at 10:33 +0100, Colin Coles wrote: > > On Wednesday 02 May 2012, Alan M. Evans wrote: > > > Hello all... > > > > > > I maintain an amateurish email list for my wife's website on my CentOS 6 > > > server. Once-a-month, she sends mail to "mylista...@mydomain.com" and > > > the /etc/aliases file redirects that to my script: > > > > > > mylistaddr: "| /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php" > > > > > > The script, in turn, reads the recipient addresses out of a DB and > > > composes and sends the mails. This all worked great until this month's > > > mailing. > > > > > > Now sendmail just bounces the mail back "554 5.3.0 unknown mailer error > > > 255". When I see programs complaining about "unknown" conditions, I > > > usually suspect SELinux first, and sure enough... > > > > > > setenforce 0 > > > > > > then everything works like a charm. I wonder what changed between last > > > month and this month? > > > > > > Anyway, I checked the audit.log file and found the relevant AVC denials. > > > I created a local policy (audit2allow) to circumvent the denials, which > > > helpfully prevented the denial messages in audit.log. But the maillist > > > script still fails identically as long as SELinux is enforcing. And now > > > nothing shows up in audit.log. > > > > > > So SELinux is preventing sendmail from calling my maillist script and > > > not reporting the reason. How do I go about figuring out what's broken > > > and how to fix it? > > > > Do you have the httpd_can_sendmail boolean on? > > Yes. Actually, just looking at my own description and I realize that the subject should read that SELinux is preventing my script from *receiving* mail, not sending mail. Various scripts on the site send mail all the time with no problem. It's the execution (via the aliases file) of email-cgi.php that fails. -Alan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux prevents my PHP script from sending mail
On Thu, 2012-05-03 at 10:33 +0100, Colin Coles wrote: > On Wednesday 02 May 2012, Alan M. Evans wrote: > > Hello all... > > > > I maintain an amateurish email list for my wife's website on my CentOS 6 > > server. Once-a-month, she sends mail to "mylista...@mydomain.com" and > > the /etc/aliases file redirects that to my script: > > > > mylistaddr: "| /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php" > > > > The script, in turn, reads the recipient addresses out of a DB and > > composes and sends the mails. This all worked great until this month's > > mailing. > > > > Now sendmail just bounces the mail back "554 5.3.0 unknown mailer error > > 255". When I see programs complaining about "unknown" conditions, I > > usually suspect SELinux first, and sure enough... > > > > setenforce 0 > > > > then everything works like a charm. I wonder what changed between last > > month and this month? > > > > Anyway, I checked the audit.log file and found the relevant AVC denials. > > I created a local policy (audit2allow) to circumvent the denials, which > > helpfully prevented the denial messages in audit.log. But the maillist > > script still fails identically as long as SELinux is enforcing. And now > > nothing shows up in audit.log. > > > > So SELinux is preventing sendmail from calling my maillist script and > > not reporting the reason. How do I go about figuring out what's broken > > and how to fix it? > > Do you have the httpd_can_sendmail boolean on? Yes. -- Mae fy hofrenfad i yn llawn llysywod ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux prevents my PHP script from sending mail
On Wednesday 02 May 2012, Alan M. Evans wrote: > Hello all... > > I maintain an amateurish email list for my wife's website on my CentOS 6 > server. Once-a-month, she sends mail to "mylista...@mydomain.com" and > the /etc/aliases file redirects that to my script: > > mylistaddr: "| /usr/bin/php-cgi /var/www/html/mydomain/email-cgi.php" > > The script, in turn, reads the recipient addresses out of a DB and > composes and sends the mails. This all worked great until this month's > mailing. > > Now sendmail just bounces the mail back "554 5.3.0 unknown mailer error > 255". When I see programs complaining about "unknown" conditions, I > usually suspect SELinux first, and sure enough... > > setenforce 0 > > then everything works like a charm. I wonder what changed between last > month and this month? > > Anyway, I checked the audit.log file and found the relevant AVC denials. > I created a local policy (audit2allow) to circumvent the denials, which > helpfully prevented the denial messages in audit.log. But the maillist > script still fails identically as long as SELinux is enforcing. And now > nothing shows up in audit.log. > > So SELinux is preventing sendmail from calling my maillist script and > not reporting the reason. How do I go about figuring out what's broken > and how to fix it? Do you have the httpd_can_sendmail boolean on? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos