Thread:Project:Support desk/SOLVED: RedHat 6 SELinux blocks MediaWiki from using sendmail

I don't know the best way to share this information to you/the world, but hopefully, if I use enough magic words, then Google will pick it up and everybody who hits this problem will know soon enough.

On a RH6 system, we ran into the problem that the MediaWiki could not send email. MediaWiki fails silently, there is no on screen indication that the sendmail access was refused.

The auth.log has markers for the rejection, however:

type=USER_CMD msg=audit(1293752457.837:246): user pid=4383 uid=0 auid=500 ses=9 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/var/www/mediawiki116" cmd=2F62696E2F7669204C6F63616C53657474696E67732E706870 terminal=pts/4 res=success' type=AVC msg=audit(1293752692.348:247): avc: denied  { search } for pid=4583 comm="sendmail" name="postfix" dev=sda2 ino=150564 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir type=SYSCALL msg=audit(1293752692.348:247): arch=c000003e syscall=80 success=no exit=-13 a0=7f44c0011cc0 a1=7f44c0013a00 a2=7f44c001827d a3=7fff104b7710 items=0 ppid=4410 pid=4583 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=9 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

In the Centos user group, I complained/whined about this and Daniel Walsh, the RedHat author of SELinux policy packages, was kind enough to give the fix as follows:

Turn on the httpd_can_sendmail boolean. We do not want all apache servers to be able to send mail by default.


 * 1) setsebool -P httpd_can_sendmail 1

man httpd_selinux ... SELinux policy for httpd can be configured to turn  on  sending email. This is  a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. In certain situations, you  may want http modules  to send mail. You can turn on the httpd_send_mail....

After that fix, then SELinux does not block MediaWiki's use of sendmail any more.

If I had more time, I'd look into these issues:
 * 1) Can MediaWiki be made to warn the user that sendmail access was refused? (RedCap, another PHP/CGI program we use, does give a warning, that's how I first realized the SELinux problem).
 * 2) Can the SELinux system be adjusted so that only specific CGI programs can access sendmail?  If it really is a security issue, I would like to not issue the blanket permission to PHP/CGI programs for sendmail.