Since I upgraded my server and activated SELinux I haven’t gotten any emails from wordpress when people post comments on this blog (that’s why it has taken my so long time to approve comments). Today I decided it was time to look into the problem.
It turned out that the problem was related to the following message that I’ve been seeing in my log:
avc: denied { execute_no_trans } for pid=972 comm="apache2"
name="bash" dev=hda1 ino=26110
scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
The mail() function in PHP (which is what wordpress uses to send the notification mail) is implemented using popen(3). When you call mail(), PHP executes popen(“sendmail …”, “w”). This ends up with a call to “sh -c sendmail …”, which explains the log message.
The solution was allow execute_no_trans for httpd:
allow httpd_t shell_exec_t:file execute_no_trans;
setsebool -P httpd_can_sendmail=1