SELinux settings to allow apache to send mail

Posted by in Code Snippets, Tutorials

I was working in a WordPress instance today that is installed in a Centos box. The issue was that I could not send any email through wp_mail() function in wordpress, which essentially uses PHP’s mail() function, which in turn, uses sendmail. So the very first thing I’ve tried doing was to create a simple PHP test script and ran it from the machine locally. The email worked fine so I knew sendmail was not the problem. Next, I tried to execute the script over the webserver, and sure enough, the script failed to send me any email. When I checked the apache log files (/var/log/httpd/error_log), I saw the following error:

sendmail: fatal: chdir /var/spool/postfix: Permission denied

With my infinite knowledge, I instantly knew it had something to do with SELinux settings (I lie, I googled the error). This happened because the user apache server is running as (apache in my case) did not have permission to send out any email. This was confirmed by running the command

$> sestatus -b | grep -i sendmail

Which revealed

httpd_can_sendmail off
logging_syslogd_can_sendmail off

This meant that the beloved apache server was hatefully not allowed to send out emails. Gee, thanks SELinux. A quick remedy was to run the following command with escalated privileges and I was on my way to sending spam emails to all my friends right from my server (I lie, I had no intention of spamming anybody!):

# setsebool -P httpd_can_sendmail 1

setsebool is a nifty tool to set any SELinux boolean settings to on or off. The -P flag is the persist the specified setting across system reboots.