This is an email i sent to the OpenShift user group which may be of interest to others. Hence it’s place on this blog.
Subject: Openshift and php mail not sending - SELinux issue - SOLVED From: Andrew Galdes <[email protected]> To: "[email protected]" <[email protected]> Hi all, I want to share my solution to a problem which I've had on two openshift installations. When i try to send an email from a php script, the server errors in "/var/log/maillog" and the email doesn't go. SELinux is the cause. I can disable SELinux (as a test) and it works. Every article on this topic says "enable httpd_can_sendmail" but that is already set: [root@My-OpenShift includes]# *tail -f /var/log/maillog * May 31 12:21:13 My-OpenShift postfix/sendmail[6746]: fatal: chdir > /var/spool/postfix: Permission denied > ^C > [root@My-OpenShift includes]# *getsebool -a | grep sendmail* > httpd_can_sendmail --> on The "/var/log/audit/audit.log" logs show the following: type=AVC msg=audit(1433041351.449:255991): avc: denied { search } for > pid=12038 comm="sendmail" name="postfix" dev=dm-0 ino=655594 > scontext=unconfined_u:system_r:openshift_t:s0:c6,c293 > tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir > type=SYSCALL msg=audit(1433041351.449:255991): arch=c000003e syscall=80 > success=no exit=-13 a0=7fadade5a8d0 a1=7fadade5c5a0 a2=2000 a3=7fff6274d050 > items=0 ppid=26592 pid=12038 auid=6410 uid=6410 gid=6410 euid=6410 > suid=6410 fsuid=6410 egid=6410 sgid=6410 fsgid=6410 tty=(none) ses=40573 > comm="sendmail" exe="/usr/sbin/sendmail.postfix" > subj=unconfined_u:system_r:openshift_t:s0:c6,c293 key=(null) I extracted the above out of "/var/log/audit/audit.log" and placed it in "/tmp/audit.log" as the above log grows fast. If you don't get it, run the command "*semodule -DB*" to enable logging. Disable it later with "*semodule -B*". So i ran "*sealert -a /tmp/audit.log*" which asked me to run a few commands (below) which i did. And the error in "/var/log/maillog" was no longer appearing. it was fixed. [root@My-OpenShift includes]# *grep sendmail /tmp/audit.log | audit2allow -M mypol* [root@My-OpenShift includes]# *semodule -i mypol.pp* Why this happens is beyond me. The above solution worked on one of my installations but not the other. I'll investigate why later. Ta, -Andrew Galdes Managing Director