Score:2

SELinux - blocks postfix emails sending out from the Web Application

cn flag

My System environment, is Centos-7.9, Apache2.4, Php-fpm, PHP-7.4

I have postfix setup to send emails from the website, which is working in stand-alone test emails and when I turn the SELinux off.

However, if SELinux is enabled it will block sending the emails out from the server with below error in the /var/log/maillog

 postfix/sendmail[10883]: fatal: execv /usr/libexec/postfix/smtpd: Permission denied

When i do

  sudo setenforce 0

It sends emails, however, I don't want to turn SELinux off, But i would like to allow my Web-Application to white-list sending emails. I tried below but that didn't work

sudo setsebool -P httpd_can_sendmail 1

Any idea on how to solve this issue?

Score:0
vn flag

This is a known bug with RHEL 7.7 an up when using php-fpm instead of Apache's mod_php. Since you're on CentOS 7.9 it applies.

You can read more regarding the issue on Red Hat's Bugzilla: http://bugzilla.redhat.com/show_bug.cgi?id=1754622

As for a solution for your issue, the first and most obvious one is disabling SELinux, but as a second option, I would recommend the following:

  1. Install the package policycoreutils-python
  2. Use audit2why and audit2allow to create custom rules to enable php-fpm to work with SELinux enabled.
  3. tail -f on /var/log/audit/audit.log and try to send a mail message from httpd. Get the output and seed it through audit2why and audit2allow. It would be self explanatory.
  4. Apply the rules advised by both programs.

A third solution would be putting httpd_t or system_mail_t (depending on the output of audit2allow) in permissive mode if you don't want to craft custom rules specific to this machine. But keep in mind that doing this you'll be disabling SELinux to an entire context.

That would be done with the following command: semanage permissive -a httpd_t or semanage permissive -a system_mail_t. To undo the changes just change -a to -d.

Score:0
cn flag

What I would do here is

Put SELinux in permissive mode

setenforce 0

Rotate the auditd logs so I get a clean(er) list of AVC denials

kill -USR1 $(cat /run/auditd.pid) 

Cause The issue to occur and generate audit messages

Create a local policy module

grep denied /var/log/audit/audit.log | audit2allow -m mypolicy >mypolicy.te 

Check that the generated policy file looks like I expect it to and doesn't 'give away' things I don;t want it to and edit as required.

Create and install the policy

checkmodule -M -m -o mypolicy.mod mypolicy.te
semodule_package -o mypolicy.pp -m mypolicy.mod
semodule -i mypolicy.pp 

You may find it easier to put all the AVC denials into a separate file and then remove the ones that don't relate to the issue you are trying to solve before using audit2alow on the file. If that works better for you you can skip the intermediate steps and go straight to the .pp file

cat myavcs.log | audit2allow -M mypolicy
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.