2

When somebody sends an email to my server, e.g.

somestringthatisnotnecessarilyauser@myserver.com

I want it to pipe to a PHP script. So in my

/etc/aliases

file I have:

somestringthatisnotnecessarilyauser: "|/path/to/php/script.php"

With SELinux disabled, it sends the email to the PHP script perfectly.

With SElinux enabled, the maillog is coming out with a permissions error:

local[19660]: fatal: execvp /path/to/php/script.php: Permission denied

I am quite new to SELinux but I have pinned the problem down to SELinux, because with it disabled, it works fine.

Does anybody know what semanage commands, or other policy, I need to apply to get this working with SELinux enabled?

OS is Centos6.5 64 bit

Here is what the /var/log/audit/audit.log is saying when sending email to address:

type=AVC msg=audit(1395174916.444:476603): avc:  denied  { search } for  pid=25396 comm="local" name="web" dev=dm-0 ino=522246 scontext=unconfined_u:system_r:postfix_local_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1395174916.444:476603): arch=c000003e syscall=59 success=no exit=-13 a0=7feaddb404a0 a1=7feaddb40470 a2=7feaddb3b2d0 a3=7fffa4fe93d0 items=0 ppid=21187 pid=25396 auid=500 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=69836 comm="local" exe="/usr/libexec/postfix/local" subj=unconfined_u:system_r:postfix_local_t:s0 key=(null)

Here is the output of getsebool httpd_can_sendmail

$ getsebool httpd_can_sendmail
httpd_can_sendmail --> on
Daniel Procter
  • 33
  • 5
  • You should mention the distro your using, Guessing CentOS/RHEL due to SELINUX being used in them by defaut, You should be able to see some messages from SELINUX in /var/log/audit/audit.log can you see anything relevant, look for AVC denials, and sometime there are some hints in /var/log/messages – squareborg Mar 18 '14 at 20:29
  • Hi Shutupsquare, yep it's CentOS 6.5. Have updated the question with the info. Will check audit log and put info on the question too... – Daniel Procter Mar 18 '14 at 20:35
  • can you post the output of `getsebool httpd_can_sendmail` – squareborg Mar 18 '14 at 20:56
  • I've added it to the question... httpd_can_sendmail --> on – Daniel Procter Mar 18 '14 at 21:06

2 Answers2

5

SELinux is pretty daunting to learn. Heck, I still don't fully understand everything. But one thing that has helped me was to install the package setroubleshoot and learn how to use the sealert and audit2allow tools. It looks at your audit log, finds what was denied, gives a basic description for why it was blocked and helps you to create rules to allow it if needed. I think it's part of the EPEL repo. Check it out.

Safado
  • 4,726
  • 7
  • 35
  • 53
  • wow, setroubleshoot has a lot of dependencies... are you able to make any sense from the audit log messages I posted in the question? thanks for your reply! – Daniel Procter Mar 18 '14 at 20:48
  • sealert came back with `SELinux is preventing /usr/libexec/postfix/local from search access on the directory web.` -- It doesn't give any suggestions on how to fix it by changing the context (this is where having more SELinux knowledge comes in hand) but it does give you the option to build a custom module to allow /usr/libexec/postfix/local to search the web directory. – Safado Mar 18 '14 at 20:53
  • odd, I don't actually have a directory called web, but I suppose that's referring to the web accessible directory (which is actually in a directory /home/[user]/webdocs/blahblah/pipes/mypipe.php – Daniel Procter Mar 18 '14 at 21:07
  • It's coming from that first line in your log output. The auditd documentation says this about COMM and NAME: `COMM=The application name under which it appears in the task list.` and `NAME=Refers to the pathname passed as an argument to the less (or open) call.` Typically what I see in that column is a absolute path to a file or directory. At any rate, what it IS saying is that /usr/libexec/postfix/local is trying to access something (web?) via search, but SELinux doesn't think it should so it denies it. You'll need to create a custom module to allow it. – Safado Mar 18 '14 at 21:19
  • 2
    I installed setroubleshoot-server which is for a non gui environment and that was really helpful too thanks Safado! – Daniel Procter Mar 18 '14 at 21:39
  • @Daniel Procter So finally what was the solution ? what did you do to solve your issue ? – krisFR Apr 10 '14 at 02:11
  • Hi @krisFR - I installed `setroubleshoot-server`, ran `sealert` on the `audit.log` which produced a SE policy, which I then installed using `semanage` (i thinK!) Looking at the policy it looks like it's allowing `postfix_local_t` to read, search and open on the `httpd_sys_content_t:dir` and `:file`... does that help. Makes sense as the pipe script is in the httpd_sys_content directory. – Daniel Procter Apr 10 '14 at 08:52
1

You could try :

semanage permissive -a postfix_local_t

It is supposed to set SELinux permissive for the process type postfix_local_t

krisFR
  • 12,830
  • 3
  • 31
  • 40
  • 1
    @DanielProcter This will get it to work but it's not the best method, You've switched SELinux off for the whole of the postfix process. You really need to make a bit of policy as mentioned in the answer by Safado. – squareborg Mar 18 '14 at 22:26
  • ok, i will give this a go... how do i go about undoing the command above that sets postfix_local_t to permissive? – Daniel Procter Mar 19 '14 at 10:05
  • 1
    @DanielProcter To undo run `semanage permissive -d postfix_local_t` – krisFR Mar 19 '14 at 10:27