SELinux is preventing /usr/sbin/sendmail.postfix from read access on the file

Why I’m getting the “SELinux is preventing /usr/sbin/sendmail.postfix from read access on the file …” every time I send an email in PHP?

No Idea why sendmail needs to read a PHP file.

According to the log, the source and target context are different. But it’s not clear if this is the problem or not.

Log shows:

SELinux is preventing /usr/sbin/sendmail.postfix from read access on the file /var/www/html/send-email.php.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sendmail.postfix should be allowed read access on the send-email.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail
# semodule -X 300 -i my-sendmail.pp


Additional Information:
Source Context                system_u:system_r:system_mail_t:s0
Target Context                unconfined_u:object_r:httpd_sys_content_t:s0
Target Objects                /var/www/html/send-email.php [ file ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.postfix
Port                          <Unknown>
Host                          xxxxxxxxxx-prod
Source RPM Packages           postfix-3.5.9-19.el9.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Local Policy RPM              selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xxxxxxxxxx-prod
Platform                      Linux xxxxxxxxxx-prod
                              PREEMPT_DYNAMIC Wed Mar 1 22:02:24 UTC 2023 x86_64
                              x86_64
Alert Count                   3283
First Seen                    2023-03-30 18:03:38 CEST
Last Seen                     2024-02-29 12:16:58 CET
Local ID                      43f6879e-354b-4593-b3a4-90adc111f26c

Can you help me to understand what’s happening and how to fix it?

Thanks.

Did you try the suggested fix?
It is not clear whether the fix is immediate or you have to reboot.
I had recently a similar issue on a Fedora laptop and implementing the suggested fix did not work for me, this was for ssh access for my backup service. In the end this is what I did to fix it.
I edited /etc/selinux and set it to permissive mode and then created the “autorelabel” empty file on root preceded with a dot.

# touch /.autorelabel

I then rebooted and let the system relabel all the files and after logging in I reset /etc/selinux to enforcing and rebooted again. The BackupPC program that runs on my Rodky server was then abel to ssh into the laptop and do the backup.
Is there a better way?

Looks like your code is trying to execute sendmail.postfix. Try executing this test file from the cli and also from your webserver.

<?php
// The message
 $message = "Line 1\r\nLine 2\r\nLine 3";
//
// // In case any of our lines are larger than 70 characters, we should use wordwrap()
 $message = wordwrap($message, 70, "\r\n");
//
// // Send
 mail('root@localhost', 'My Subject', $message);
?>

Hi,

Thank you for your message. Perhaps my previous message was not clear. Let me try to explain it better.

I have several PHP scripts, and in all of them, I am using the mail() function to send emails. However, in my case, emails are working fine and the email is being sent successfully. Nonetheless, I am encountering SELinux log messages in the /var/log/messages.

I haven’t tried the suggestion because I’m not clear on why sendmail needs to read a PHP file when I’m using the mail() function. I don’t want to add a new rule in SELinux until I understand why this is happening.

Source: GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP

That is why.

Hi Ian,

Thank you for your message. I’m aware that the PHP mail function utilizes sendmail in Linux. However, I’m curious about why sendmail must read the entire PHP file when I use the mail() function. Will sendmail read the entire file if it’s large? Could this potentially expose sensitive data within the code? I doubt it.

Incorrect. Your mail server is NOT reading any PHP file(s), only the OUTPUT from your PHP code. SELINUX is only complaining that your web server PHP scripts don’t have access to the mail server.

The exploits for the 20+ year old mail() function for injecting malicious code is well documented in the PHPMailer link above and is a must read whether you are running private or public web server(s).

Thank you very much for your help.
I’m a bit puzzled, though. If SELinux is set to Enforcing mode and the email function is successfully sending emails, why is SELinux generating the log entry ‘SELinux is preventing /usr/sbin/sendmail.postfix…’?
Then, could the solution be to change the context for sendmail.postfix to the ‘httpd_exec_t’ context?

Did you run the test script as suggested?
What was the results?
getsebool -a | grep mail

Yes, the test script it works and I’m able to get the email, but a log entry is added into /var/log/messages

“SELinux is preventing /usr/sbin/sendmail.postfix from read access on the file /var/www/html/test-email.php”

The output of getsebool -a | grep mail is :

gitosis_can_sendmail → off
httpd_can_sendmail → on
logging_syslogd_can_sendmail → off
logwatch_can_network_connect_mail → off
mailman_use_fusefs → off
postfix_local_write_mail_spool → on

Then you need to run generate the local policy module that is listed.