When somebody sends an email to my server, e.g.
somestringthatisnotnecessarilyauser@myserver.com
I want it to pipe to a PHP script. So in my
/etc/aliases
file I have:
somestringthatisnotnecessarilyauser: "|/path/to/php/script.php"
With SELinux disabled, it sends the email to the PHP script perfectly.
With SElinux enabled, the maillog is coming out with a permissions error:
local[19660]: fatal: execvp /path/to/php/script.php: Permission denied
I am quite new to SELinux but I have pinned the problem down to SELinux, because with it disabled, it works fine.
Does anybody know what semanage commands, or other policy, I need to apply to get this working with SELinux enabled?
OS is Centos6.5 64 bit
Here is what the /var/log/audit/audit.log is saying when sending email to address:
type=AVC msg=audit(1395174916.444:476603): avc: denied { search } for pid=25396 comm="local" name="web" dev=dm-0 ino=522246 scontext=unconfined_u:system_r:postfix_local_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1395174916.444:476603): arch=c000003e syscall=59 success=no exit=-13 a0=7feaddb404a0 a1=7feaddb40470 a2=7feaddb3b2d0 a3=7fffa4fe93d0 items=0 ppid=21187 pid=25396 auid=500 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=69836 comm="local" exe="/usr/libexec/postfix/local" subj=unconfined_u:system_r:postfix_local_t:s0 key=(null)
Here is the output of getsebool httpd_can_sendmail
$ getsebool httpd_can_sendmail
httpd_can_sendmail --> on