All HowTo's Linux Redhat, Fedora and CentOS Linux Ubuntu, Mint & Debian Linux

OpenShift – PHP not sending email. An SELinux problem.

This is an email i sent to the OpenShift user group which may be of interest to others. Hence it’s place on this blog.

Subject: Openshift and php mail not sending - SELinux issue - SOLVED
From: Andrew Galdes <[email protected]>
To: "[email protected]" <[email protected]>

Hi all,

I want to share my solution to a problem which I've had on two openshift
installations. When i try to send an email from a php script, the server
errors in "/var/log/maillog" and the email doesn't go.

SELinux is the cause. I can disable SELinux (as a test) and it works. Every
article on this topic says "enable httpd_can_sendmail" but that is already
set:

[root@My-OpenShift includes]# *tail -f /var/log/maillog *

May 31 12:21:13 My-OpenShift postfix/sendmail[6746]: fatal: chdir
> /var/spool/postfix: Permission denied
> ^C
> [root@My-OpenShift includes]# *getsebool -a | grep sendmail*
> httpd_can_sendmail --> on


The "/var/log/audit/audit.log" logs show the following:

type=AVC msg=audit(1433041351.449:255991): avc:  denied  { search } for
>  pid=12038 comm="sendmail" name="postfix" dev=dm-0 ino=655594
> scontext=unconfined_u:system_r:openshift_t:s0:c6,c293
> tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
> type=SYSCALL msg=audit(1433041351.449:255991): arch=c000003e syscall=80
> success=no exit=-13 a0=7fadade5a8d0 a1=7fadade5c5a0 a2=2000 a3=7fff6274d050
> items=0 ppid=26592 pid=12038 auid=6410 uid=6410 gid=6410 euid=6410
> suid=6410 fsuid=6410 egid=6410 sgid=6410 fsgid=6410 tty=(none) ses=40573
> comm="sendmail" exe="/usr/sbin/sendmail.postfix"
> subj=unconfined_u:system_r:openshift_t:s0:c6,c293 key=(null)


I extracted the above out of "/var/log/audit/audit.log" and placed it in
"/tmp/audit.log" as the above log grows fast. If you don't get it, run the
command "*semodule -DB*" to enable logging. Disable it later with "*semodule
-B*".
So i ran "*sealert -a /tmp/audit.log*" which asked me to run a few commands
(below) which i did. And the error in "/var/log/maillog" was no longer
appearing. it was fixed.

[root@My-OpenShift includes]# *grep sendmail /tmp/audit.log | audit2allow
-M mypol*
[root@My-OpenShift includes]# *semodule -i mypol.pp*

Why this happens is beyond me. The above solution worked on one of my
installations but not the other. I'll investigate why later.

Ta,



-Andrew Galdes
Managing Director


Leave a Reply

Your email address will not be published. Required fields are marked *