On Wed, 28 Dec 2011 18:04:30 -0500
Edward Ned Harvey <selinuxadmin(a)clevertrove.com> wrote:
How can this happen? It's getting denied, but not appearing in
either the audit log or the messages file. Running Centos 6 fully
updated, php (drupal) inside of httpd tries to send mail via postfix
(postdrop).
When I have setenforce 0, the mail goes through. No errors in any
logs (audit.log, error_log, messages)
When I have setenforce 1, the mail gets blocked. I get this message
in httpd error_log:
sendmail: fatal: execvp /usr/sbin/postdrop: Permission
denied
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status
1
sendmail: fatal: email(a)example.com(48): unable to
execute /usr/sbin/postdrop -r: Success
I have auditd running. In fact, I regularly use audit2allow to
create allow policies on this machine. So I can confidently say
normally my selinux denials get logged in the audit.log. I am at a
loss to think of any reason this particular failure is not getting
logged the same way my other error messages usually get logged.
I believe I can write a custom allow script by hand, but I believe I
probably shouldn't, or if I try, it will fail for some reason.
Thanks for your help...
The denials you're getting are probably being dontaudit-ed. See:
http://danwalsh.livejournal.com/11673.html
Paul.