Sending mail from php to exim with SELinux enabled

I have installed nginx, php-fpm and exim, which I prefer over postfix. When I use php’s mail() function to send mail to a local user with SELinux enabled, nothing arrives.

When I set SELinux to permissive it does work, and audit2allow suggests the following SELinux policy rules. Is this the only way of getting php to send mail to exim with SELinux enabled? Shouldn’t similar rules be preconfigured?

#============= httpd_t ==============
allow httpd_t etc_aliases_t:file { getattr open read };
allow httpd_t exim_log_t:file open;
allow httpd_t exim_spool_t:dir { add_name read remove_name write };
allow httpd_t exim_spool_t:file { append create getattr lock open read rename setattr unlink write };
allow httpd_t mail_spool_t:dir { add_name remove_name };
allow httpd_t mail_spool_t:file { append create getattr link lock open read setattr unlink write };
allow httpd_t mail_spool_t:lnk_file read;

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_run_stickshift, httpd_use_opencryptoki
allow httpd_t self:capability fowner;

Have you try setting httpd_can_sendmail Selinux boolean (setsebool) ?

Notice that best practice is to avoid mail function and prefer some dedicated library (phpmailer, symfony/mailer…) using direct connection to your SMTP server.

2 Likes

Have you try setting httpd_can_sendmail Selinux boolean (setsebool) ?

Thanks, this works. audit2allow is normally pretty good at pointing me towards the right booleans, but I wonder why not in this case?