My System environment, is Centos-7.9, Apache2.4, Php-fpm, PHP-7.4
I have postfix setup to send emails from the website, which is working in stand-alone test emails and when I turn the SELinux off.
However, if SELinux is enabled it will block sending the emails out from the server with below error in the /var/log/maillog
postfix/sendmail[10883]: fatal: execv /usr/libexec/postfix/smtpd: Permission denied
When i do
sudo setenforce 0
It sends emails, however, I don't want to turn SELinux off, But i would like to allow my Web-Application to white-list sending emails. I tried below but that didn't work
sudo setsebool -P httpd_can_sendmail 1
Any idea on how to solve this issue?
This is a known bug with RHEL 7.7 an up when using
php-fpm
instead of Apache'smod_php
. Since you're on CentOS 7.9 it applies.You can read more regarding the issue on Red Hat's Bugzilla: http://bugzilla.redhat.com/show_bug.cgi?id=1754622
As for a solution for your issue, the first and most obvious one is disabling SELinux, but as a second option, I would recommend the following:
policycoreutils-python
audit2why
andaudit2allow
to create custom rules to enablephp-fpm
to work with SELinux enabled.tail -f
on/var/log/audit/audit.log
and try to send a mail message fromhttpd
. Get the output and seed it throughaudit2why
andaudit2allow
. It would be self explanatory.A third solution would be putting
httpd_t
orsystem_mail_t
(depending on the output ofaudit2allow
) in permissive mode if you don't want to craft custom rules specific to this machine. But keep in mind that doing this you'll be disabling SELinux to an entire context.That would be done with the following command:
semanage permissive -a httpd_t
orsemanage permissive -a system_mail_t
. To undo the changes just change-a
to-d
.What I would do here is
Put SELinux in permissive mode
Rotate the auditd logs so I get a clean(er) list of AVC denials
Cause The issue to occur and generate audit messages
Create a local policy module
Check that the generated policy file looks like I expect it to and doesn't 'give away' things I don;t want it to and edit as required.
Create and install the policy
You may find it easier to put all the AVC denials into a separate file and then remove the ones that don't relate to the issue you are trying to solve before using audit2alow on the file. If that works better for you you can skip the intermediate steps and go straight to the .pp file