Applicable to:
- Plesk 12.5 for Linux
- Plesk Onyx for Linux
Symptoms
-
SELinux is set to Enforcing mode.
-
Website is configured with PHP FastCGI and is having Outgoing Mail Control active unable to send email using PHP mail() function.
/var/log/mailllog
contains the following errors:CONFIG_TEXT: servername journal: plesk sendmail[40208]: PASS during call 'limit-out' handler
servername journal: plesk sendmail[40208]: Unable to rename '/usr/local/psa/handlers/spool/messagelfwY7h' file: Permission denied
servername journal: plesk sendmail[40208]: System error (/usr/local/psa/handlers/spool/messagelfwY7h): No such file or directory
servername journal: plesk sendmail[40211]: Unable to open temporary file `/usr/local/psa/handlers/spool/messagelfwY7h' (2): No such file or directoryOR
CONFIG_TEXT: host postfix/postalias[31977]: fatal: open /etc/postfix/main.cf: Permission denied
host py_limit_out[32008]: ERROR Rejecting message: system user uid='10116' is not allowed to send mail
host journal: plesk sendmail[32007]: handlers_stderr: DATA REPLY:554:5.7.0 Your message could not be sent. The user johndoe is not allowed to send email.#012REJECT
host journal: plesk sendmail[32007]: REJECT during call 'limit-out' handler -
SELinux log
/var/log/audit/audit.log
contains the following records:CONFIG_TEXT: type=AVC msg=audit(1469441919.153:60411): avc: denied { read write } for pid=3137 comm="py-limit-out" path=2F746D702F2E7863616368652E31303030342E333034362E312E6D75746578202864656C6574656429 dev="dm-0" ino=945865893 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1469441919.153:60411): avc: denied { read write } for pid=3137 comm="py-limit-out" path=2F746D702F2E7863616368652E31303030342E333034362E322E6D75746578202864656C6574656429 dev="dm-0" ino=945865895 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=SYSCALL msg=audit(1469441919.153:60411): arch=c000003e syscall=59 success=yes exit=0 a0=1d424e0 a1=1d2cb10 a2=60f480 a3=7ffe9aab5800 items=0 ppid=3136 pid=3137 auid=4294967295 uid=30 gid=31 euid=30 suid=30 fsuid=30 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="py-limit-out" exe="/usr/bin/python2.7" subj=system_u:system_r:system_mail_t:s0 key=(null)
type=AVC msg=audit(1469441919.309:60412): avc: denied { rename } for pid=3136 comm="sendmail" name="messageddfLtz.tmp" dev="dm-0" ino=207438792 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1469441919.309:60412): arch=c000003e syscall=82 success=no exit=-13 a0=7ffe9aab6bf0 a1=1d2b080 a2=7ffe9aab6b60 a3=7ffe9aab68d0 items=0 ppid=3135 pid=3136 auid=4294967295 uid=30 gid=31 euid=30 suid=30 fsuid=30 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/lib64/plesk-9.0/postfix-sendmail-wrapper" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
Cause
Plesk bug with ID #PPPM-4766 which will be fixed in future Plesk updates.
Resolution
1. Login to the server over SSH
2. Install audit2allow
utility:
# yum install policycoreutils-python
3. Build a policy module:
# egrep 'system_mail_t|httpd_sys_script_t' /var/log/audit/audit.log | audit2allow -M sendmail_rename_spool
4. Load the newly created policy package into the kernel:
# semodule -i sendmail_rename_spool.pp
Comments
2 comments
I ran into errors on CentOS7:
libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x4f44213c (No such file or directory).
libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
sendmail_rename_spool: libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x4f44213c
sendmail_rename_spool: Failed to read policy package
libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
(No such file or directory).
semodule: Failed!
Here is how to
use audit2allow
to re-generate the module:1- Install
audit2allow
(part of setools)yum install policycoreutils-python
2- Re-generate module
egrep 'system_mail_t|httpd_sys_script_t' /var/log/audit/audit.log | audit2allow -M sendmail_rename_spool
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i sendmail_rename_spool.pp
3- Run
semodule -i sendmail_rename_spool.pp
@Francoise Thank you, the article was updated.
Please sign in to leave a comment.