Articles in this section

See more

Cannot send email using PHP mail() function: Unable to rename '/usr/local/psa/handlers/spool/messageXXX' file: Permission denied

Avatar
Alexander Tsmokalyuk
Updated
Follow

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux

Symptoms

  • SELinux is set to Enforcing mode.

  • Website is configured with PHP FastCGI and is having Outgoing Mail Control active unable to send email using PHP mail() function. /var/log/mailllog contains the following errors:

    Jul 25 11:03:10 servername journal: plesk sendmail[40208]: PASS during call 'limit-out' handler 
    Jul 25 11:03:10 servername journal: plesk sendmail[40208]: Unable to rename '/usr/local/psa/handlers/spool/messagelfwY7h' file: Permission denied 
    Jul 25 11:03:10 servername journal: plesk sendmail[40208]: System error (/usr/local/psa/handlers/spool/messagelfwY7h): No such file or directory 
    Jul 25 11:03:10 servername journal: plesk sendmail[40211]: Unable to open temporary file `/usr/local/psa/handlers/spool/messagelfwY7h' (2): No such file or directory

  • SELinux log /var/log/audit/audit.log contains the following records:

    type=AVC msg=audit(1469441919.153:60411): avc:  denied  { read write } for  pid=3137 comm="py-limit-out" path=2F746D702F2E7863616368652E31303030342E333034362E312E6D75746578202864656C6574656429 dev="dm-0" ino=945865893 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
    type=AVC msg=audit(1469441919.153:60411): avc:  denied  { read write } for  pid=3137 comm="py-limit-out" path=2F746D702F2E7863616368652E31303030342E333034362E322E6D75746578202864656C6574656429 dev="dm-0" ino=945865895 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
    type=SYSCALL msg=audit(1469441919.153:60411): arch=c000003e syscall=59 success=yes exit=0 a0=1d424e0 a1=1d2cb10 a2=60f480 a3=7ffe9aab5800 items=0 ppid=3136 pid=3137 auid=4294967295 uid=30 gid=31 euid=30 suid=30 fsuid=30 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="py-limit-out" exe="/usr/bin/python2.7" subj=system_u:system_r:system_mail_t:s0 key=(null)
    type=AVC msg=audit(1469441919.309:60412): avc:  denied  { rename } for  pid=3136 comm="sendmail" name="messageddfLtz.tmp" dev="dm-0" ino=207438792 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
    type=SYSCALL msg=audit(1469441919.309:60412): arch=c000003e syscall=82 success=no exit=-13 a0=7ffe9aab6bf0 a1=1d2b080 a2=7ffe9aab6b60 a3=7ffe9aab68d0 items=0 ppid=3135 pid=3136 auid=4294967295 uid=30 gid=31 euid=30 suid=30 fsuid=30 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/lib64/plesk-9.0/postfix-sendmail-wrapper" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

Cause

Plesk bug with ID #PPPM-4766 which will be fixed in future Plesk updates.

Resolution

1. Login to the server over SSH

2. Install audit2allow utility:

 # yum install policycoreutils-python

3. Build a policy module:

# egrep 'system_mail_t|httpd_sys_script_t' /var/log/audit/audit.log | audit2allow -M sendmail_rename_spool

4. Load the newly created policy package into the kernel:

# semodule -i sendmail_rename_spool.pp

Comments

2 comments

Sort by Date Votes
  • Avatar
    Fran Le Bouleix (Edited )

    I ran into errors on CentOS7:

    libsepol.module_package_read_offsets: wrong magic number for module package:  expected 0xf97cff8f, got 0x4f44213c (No such file or directory).
    libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
    sendmail_rename_spool: libsepol.module_package_read_offsets: wrong magic number for module package:  expected 0xf97cff8f, got 0x4f44213c
    sendmail_rename_spool: Failed to read policy package
    libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
     (No such file or directory).
    semodule:  Failed!

     

    Here is how to use audit2allow to re-generate the module:

    1- Install audit2allow (part of setools)

     yum install policycoreutils-python

    2- Re-generate module

     egrep 'system_mail_t|httpd_sys_script_t' /var/log/audit/audit.log | audit2allow -M sendmail_rename_spool

    ******************** IMPORTANT ***********************
    To make this policy package active, execute:

    semodule -i sendmail_rename_spool.pp

    3- Run

      semodule -i sendmail_rename_spool.pp

     

    0
    Permalink
  • Avatar
    Alexander Tsmokalyuk

    @Francoise Thank you, the article was updated.

    0
    Permalink

Please sign in to leave a comment.

Related articles