Home / server / Questions / 1073583
In Process
mahen3d
Asked: 2021-08-05 21:16:33 +0800 CST

SELinux - blocks postfix emails sending out from the Web Application

  • 772

My System environment, is Centos-7.9, Apache2.4, Php-fpm, PHP-7.4

I have postfix setup to send emails from the website, which is working in stand-alone test emails and when I turn the SELinux off.

However, if SELinux is enabled it will block sending the emails out from the server with below error in the /var/log/maillog

 postfix/sendmail[10883]: fatal: execv /usr/libexec/postfix/smtpd: Permission denied

When i do

  sudo setenforce 0

It sends emails, however, I don't want to turn SELinux off, But i would like to allow my Web-Application to white-list sending emails. I tried below but that didn't work

sudo setsebool -P httpd_can_sendmail 1

Any idea on how to solve this issue?

centos postfix selinux

2 Answers

  1. This is a known bug with RHEL 7.7 an up when using php-fpm instead of Apache's mod_php. Since you're on CentOS 7.9 it applies.

    You can read more regarding the issue on Red Hat's Bugzilla: http://bugzilla.redhat.com/show_bug.cgi?id=1754622

    As for a solution for your issue, the first and most obvious one is disabling SELinux, but as a second option, I would recommend the following:

    1. Install the package policycoreutils-python
    2. Use audit2why and audit2allow to create custom rules to enable php-fpm to work with SELinux enabled.
    3. tail -f on /var/log/audit/audit.log and try to send a mail message from httpd. Get the output and seed it through audit2why and audit2allow. It would be self explanatory.
    4. Apply the rules advised by both programs.

    A third solution would be putting httpd_t or system_mail_t (depending on the output of audit2allow) in permissive mode if you don't want to craft custom rules specific to this machine. But keep in mind that doing this you'll be disabling SELinux to an entire context.

    That would be done with the following command: semanage permissive -a httpd_t or semanage permissive -a system_mail_t. To undo the changes just change -a to -d.

    • 0

  2. What I would do here is

    Put SELinux in permissive mode

    setenforce 0

    Rotate the auditd logs so I get a clean(er) list of AVC denials

    kill -USR1 $(cat /run/auditd.pid)

    Cause The issue to occur and generate audit messages

    Create a local policy module

    grep denied /var/log/audit/audit.log | audit2allow -m mypolicy >mypolicy.te

    Check that the generated policy file looks like I expect it to and doesn't 'give away' things I don;t want it to and edit as required.

    Create and install the policy

    checkmodule -M -m -o mypolicy.mod mypolicy.te
semodule_package -o mypolicy.pp -m mypolicy.mod
semodule -i mypolicy.pp

    You may find it easier to put all the AVC denials into a separate file and then remove the ones that don't relate to the issue you are trying to solve before using audit2alow on the file. If that works better for you you can skip the intermediate steps and go straight to the .pp file

    cat myavcs.log | audit2allow -M mypolicy
    • 0