Two AVCs

On Wed, 23 Sep 2009 07:57:03 -0700
Daniel J Walsh dwalsh@... wrote:

On 09/23/2009 07:47 AM, John Griffiths wrote:

    2) SELinux is preventing sendmail (system_mail_t) "read" to
    /usr/share/GeoIP/GeoIP.dat (usr_t).

    Raw Audit Messages :

    node=elijah.suretrak21.net type=AVC
msg=audit(1253643380.763:60806): avc: denied { read } for pid=1311
comm="sendmail" path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0
ino=663651 scontext=system_u:system_r:system_mail_t:s0
    tcontext=system_u:object_r:usr_t:s0 tclass=file

    node=elijah.suretrak21.net type=SYSCALL
msg=audit(1253643380.763:60806): arch=40000003 syscall=11
success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08 a3=0 items=0
ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="sendmail" exe="/usr/sbin/sendmail.postfix"
subj=system_u:system_r:system_mail_t:s0 key=(null)

This one looks like a leak unless something is actually trying to
mail /usr/share/GeoIP/GeoIP.dat

Are you using milter-greylist by any chance?

Paul.

On 09/23/2009 07:47 AM, John Griffiths wrote:

I am using selinux-policy-targeted-3.5.13-71.fc10.noarch on Fedora 10. I am 
getting these AVCs. They do not seem to inhibit functionality but still 
troublesome to get the selinux alerts all the time. Are these bugs in the policy 
or something that will not be addressed and I need to generate local policy?

    1) SELinux is preventing postdrop (postfix_postdrop_t) "getattr" httpd_t.

    Raw Audit Messages :

    node=elijah.suretrak21.net type=AVC msg=audit(1253716264.867:65886): avc:
    denied { getattr } for pid=30094 comm="postdrop" path="pipe:[2618550]"
    dev=pipefs ino=2618550 scontext=system_u:system_r:postfix_postdrop_t:s0
    tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file

    node=elijah.suretrak21.net type=SYSCALL msg=audit(1253716264.867:65886):
    arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfc167c8 a2=94eff4
    a3=2 items=0 ppid=30093 pid=30094 auid=4294967295 uid=48 gid=48 euid=48
    suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295
    comm="postdrop" exe="/usr/sbin/postdrop"
    subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)

This seems a little strange, is postfix being executed from apache?  I would guess that postfix does not communicate with apache via fifo_file, so might be a leak.

    2) SELinux is preventing sendmail (system_mail_t) "read" to
    /usr/share/GeoIP/GeoIP.dat (usr_t).

    Raw Audit Messages :

    node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc:
    denied { read } for pid=1311 comm="sendmail"
    path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651
    scontext=system_u:system_r:system_mail_t:s0
    tcontext=system_u:object_r:usr_t:s0 tclass=file

    node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806):
    arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08
    a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48
    suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
    comm="sendmail" exe="/usr/sbin/sendmail.postfix"
    subj=system_u:system_r:system_mail_t:s0 key=(null)

This one looks like a leak unless something is actually trying to mail /usr/share/GeoIP/GeoIP.dat

Regards,
John Griffiths

------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You can add custom policy to allow these by executing audit2allow -M mypol

On 09/23/2009 12:00 PM, John Griffiths wrote:

Daniel J Walsh wrote:

On 09/23/2009 07:47 AM, John Griffiths wrote:

I am using selinux-policy-targeted-3.5.13-71.fc10.noarch on Fedora 10. I am
getting these AVCs. They do not seem to inhibit functionality but still
troublesome to get the selinux alerts all the time. Are these bugs in the policy
or something that will not be addressed and I need to generate local policy?

     1) SELinux is preventing postdrop (postfix_postdrop_t) "getattr" httpd_t.

     Raw Audit Messages :

     node=elijah.suretrak21.net type=AVC msg=audit(1253716264.867:65886): avc:
     denied { getattr } for pid=30094 comm="postdrop" path="pipe:[2618550]"
     dev=pipefs ino=2618550 scontext=system_u:system_r:postfix_postdrop_t:s0
     tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file

     node=elijah.suretrak21.net type=SYSCALL msg=audit(1253716264.867:65886):
     arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfc167c8 a2=94eff4
     a3=2 items=0 ppid=30093 pid=30094 auid=4294967295 uid=48 gid=48 euid=48
     suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295
     comm="postdrop" exe="/usr/sbin/postdrop"
     subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)

This seems a little strange, is postfix being executed from apache?  I would guess that postfix does not communicate with apache via fifo_file, so might be a leak.

This happens in conjunction with email being sent by Bugzilla which is of course 
being served by apache.

Is mail being sent successfully?  I believe this is also a leaked file descriptor.

     2) SELinux is preventing sendmail (system_mail_t) 

"read" to

     /usr/share/GeoIP/GeoIP.dat (usr_t).

     Raw Audit Messages :

     node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc:
     denied { read } for pid=1311 comm="sendmail"
     path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651
     scontext=system_u:system_r:system_mail_t:s0
     tcontext=system_u:object_r:usr_t:s0 tclass=file

     node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806):
     arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08
     a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48
     suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
     comm="sendmail" exe="/usr/sbin/sendmail.postfix"
     subj=system_u:system_r:system_mail_t:s0 key=(null)

This one looks like a leak unless something is actually trying to mail /usr/share/GeoIP/GeoIP.dat

Apache has geoip_module configured, but that is the only place I have GeoIP 
configured.

Well that GeoIP module is probably sending email or at least opening that file before httpd_t sends mail for another module, revealing the leak.  You can add an allow rule using audit2allow, if this is probably not important data.  Open a bugzilla with geoip_module to not leak the file.  If you are not using the geoip_module, remove it from your apache config.

Regards,
John Griffiths

------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You can add custom policy to allow these by executing audit2allow -M mypol

	Two AVCs by John Griffiths-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I am using selinux-policy-targeted-3.5.13-71.fc10.noarch on Fedora 10. I am getting these AVCs. They do not seem to inhibit functionality but still troublesome to get the selinux alerts all the time. Are these bugs in the policy or something that will not be addressed and I need to generate local policy? 1) SELinux is preventing postdrop (postfix_postdrop_t) "getattr" httpd_t. Raw Audit Messages : node=elijah.suretrak21.net type=AVC msg=audit(1253716264.867:65886): avc: denied { getattr } for pid=30094 comm="postdrop" path="pipe:[2618550]" dev=pipefs ino=2618550 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file node=elijah.suretrak21.net type=SYSCALL msg=audit(1253716264.867:65886): arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfc167c8 a2=94eff4 a3=2 items=0 ppid=30093 pid=30094 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:postfix_postdrop_t:s0 key=(null) 2) SELinux is preventing sendmail (system_mail_t) "read" to /usr/share/GeoIP/GeoIP.dat (usr_t). Raw Audit Messages : node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc: denied { read } for pid=1311 comm="sendmail" path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806): arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08 a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null) Regards, John Griffiths -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: Two AVCs by Daniel J Walsh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 09/23/2009 07:47 AM, John Griffiths wrote: > I am using selinux-policy-targeted-3.5.13-71.fc10.noarch on Fedora 10. I am > getting these AVCs. They do not seem to inhibit functionality but still > troublesome to get the selinux alerts all the time. Are these bugs in the policy > or something that will not be addressed and I need to generate local policy? > > 1) SELinux is preventing postdrop (postfix_postdrop_t) "getattr" httpd_t. > > Raw Audit Messages : > > node=elijah.suretrak21.net type=AVC msg=audit(1253716264.867:65886): avc: > denied { getattr } for pid=30094 comm="postdrop" path="pipe:[2618550]" > dev=pipefs ino=2618550 scontext=system_u:system_r:postfix_postdrop_t:s0 > tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file > > node=elijah.suretrak21.net type=SYSCALL msg=audit(1253716264.867:65886): > arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfc167c8 a2=94eff4 > a3=2 items=0 ppid=30093 pid=30094 auid=4294967295 uid=48 gid=48 euid=48 > suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 > comm="postdrop" exe="/usr/sbin/postdrop" > subj=system_u:system_r:postfix_postdrop_t:s0 key=(null) This seems a little strange, is postfix being executed from apache? I would guess that postfix does not communicate with apache via fifo_file, so might be a leak. > > 2) SELinux is preventing sendmail (system_mail_t) "read" to > /usr/share/GeoIP/GeoIP.dat (usr_t). > > Raw Audit Messages : > > node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc: > denied { read } for pid=1311 comm="sendmail" > path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651 > scontext=system_u:system_r:system_mail_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file > > node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806): > arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08 > a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48 > suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 > comm="sendmail" exe="/usr/sbin/sendmail.postfix" > subj=system_u:system_r:system_mail_t:s0 key=(null) > This one looks like a leak unless something is actually trying to mail /usr/share/GeoIP/GeoIP.dat > Regards, > John Griffiths > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You can add custom policy to allow these by executing audit2allow -M mypol -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: Two AVCs by Paul Howarth :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, 23 Sep 2009 07:57:03 -0700 Daniel J Walsh <dwalsh@...> wrote: > On 09/23/2009 07:47 AM, John Griffiths wrote: > > 2) SELinux is preventing sendmail (system_mail_t) "read" to > > /usr/share/GeoIP/GeoIP.dat (usr_t). > > > > Raw Audit Messages : > > > > node=elijah.suretrak21.net type=AVC > > msg=audit(1253643380.763:60806): avc: denied { read } for pid=1311 > > comm="sendmail" path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 > > ino=663651 scontext=system_u:system_r:system_mail_t:s0 > > tcontext=system_u:object_r:usr_t:s0 tclass=file > > > > node=elijah.suretrak21.net type=SYSCALL > > msg=audit(1253643380.763:60806): arch=40000003 syscall=11 > > success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08 a3=0 items=0 > > ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48 suid=48 > > fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 > > comm="sendmail" exe="/usr/sbin/sendmail.postfix" > > subj=system_u:system_r:system_mail_t:s0 key=(null) > > > This one looks like a leak unless something is actually trying to > mail /usr/share/GeoIP/GeoIP.dat Are you using milter-greylist by any chance? Paul. -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: Two AVCs by John Griffiths-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Paul Howarth wrote: On Wed, 23 Sep 2009 07:57:03 -0700 Daniel J Walsh dwalsh@... wrote: On 09/23/2009 07:47 AM, John Griffiths wrote: 2) SELinux is preventing sendmail (system_mail_t) "read" to /usr/share/GeoIP/GeoIP.dat (usr_t). Raw Audit Messages : node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc: denied { read } for pid=1311 comm="sendmail" path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806): arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08 a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null) This one looks like a leak unless something is actually trying to mail /usr/share/GeoIP/GeoIP.dat Are you using milter-greylist by any chance? Not using milter-greylist; package is not installed. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: Two AVCs by John Griffiths-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Daniel J Walsh wrote: On 09/23/2009 07:47 AM, John Griffiths wrote: I am using selinux-policy-targeted-3.5.13-71.fc10.noarch on Fedora 10. I am getting these AVCs. They do not seem to inhibit functionality but still troublesome to get the selinux alerts all the time. Are these bugs in the policy or something that will not be addressed and I need to generate local policy? 1) SELinux is preventing postdrop (postfix_postdrop_t) "getattr" httpd_t. Raw Audit Messages : node=elijah.suretrak21.net type=AVC msg=audit(1253716264.867:65886): avc: denied { getattr } for pid=30094 comm="postdrop" path="pipe:[2618550]" dev=pipefs ino=2618550 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file node=elijah.suretrak21.net type=SYSCALL msg=audit(1253716264.867:65886): arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfc167c8 a2=94eff4 a3=2 items=0 ppid=30093 pid=30094 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:postfix_postdrop_t:s0 key=(null) This seems a little strange, is postfix being executed from apache? I would guess that postfix does not communicate with apache via fifo_file, so might be a leak. This happens in conjunction with email being sent by Bugzilla which is of course being served by apache. 2) SELinux is preventing sendmail (system_mail_t) "read" to /usr/share/GeoIP/GeoIP.dat (usr_t). Raw Audit Messages : node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc: denied { read } for pid=1311 comm="sendmail" path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806): arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08 a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null) This one looks like a leak unless something is actually trying to mail /usr/share/GeoIP/GeoIP.dat Apache has geoip_module configured, but that is the only place I have GeoIP configured. Regards, John Griffiths ------------------------------------------------------------------------ -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list You can add custom policy to allow these by executing audit2allow -M mypol -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: Two AVCs by Daniel J Walsh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 09/23/2009 12:00 PM, John Griffiths wrote: > > > Daniel J Walsh wrote: >> On 09/23/2009 07:47 AM, John Griffiths wrote: >> >>> I am using selinux-policy-targeted-3.5.13-71.fc10.noarch on Fedora 10. I am >>> getting these AVCs. They do not seem to inhibit functionality but still >>> troublesome to get the selinux alerts all the time. Are these bugs in the policy >>> or something that will not be addressed and I need to generate local policy? >>> >>> 1) SELinux is preventing postdrop (postfix_postdrop_t) "getattr" httpd_t. >>> >>> Raw Audit Messages : >>> >>> node=elijah.suretrak21.net type=AVC msg=audit(1253716264.867:65886): avc: >>> denied { getattr } for pid=30094 comm="postdrop" path="pipe:[2618550]" >>> dev=pipefs ino=2618550 scontext=system_u:system_r:postfix_postdrop_t:s0 >>> tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file >>> >>> node=elijah.suretrak21.net type=SYSCALL msg=audit(1253716264.867:65886): >>> arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfc167c8 a2=94eff4 >>> a3=2 items=0 ppid=30093 pid=30094 auid=4294967295 uid=48 gid=48 euid=48 >>> suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 >>> comm="postdrop" exe="/usr/sbin/postdrop" >>> subj=system_u:system_r:postfix_postdrop_t:s0 key=(null) >>> >> This seems a little strange, is postfix being executed from apache? I would guess that postfix does not communicate with apache via fifo_file, so might be a leak. >> > This happens in conjunction with email being sent by Bugzilla which is of course > being served by apache. Is mail being sent successfully? I believe this is also a leaked file descriptor. >>> 2) SELinux is preventing sendmail (system_mail_t) "read" to >>> /usr/share/GeoIP/GeoIP.dat (usr_t). >>> >>> Raw Audit Messages : >>> >>> node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc: >>> denied { read } for pid=1311 comm="sendmail" >>> path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651 >>> scontext=system_u:system_r:system_mail_t:s0 >>> tcontext=system_u:object_r:usr_t:s0 tclass=file >>> >>> node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806): >>> arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08 >>> a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48 >>> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 >>> comm="sendmail" exe="/usr/sbin/sendmail.postfix" >>> subj=system_u:system_r:system_mail_t:s0 key=(null) >>> >>> >> This one looks like a leak unless something is actually trying to mail /usr/share/GeoIP/GeoIP.dat >> >> > Apache has geoip_module configured, but that is the only place I have GeoIP > configured. Well that GeoIP module is probably sending email or at least opening that file before httpd_t sends mail for another module, revealing the leak. You can add an allow rule using audit2allow, if this is probably not important data. Open a bugzilla with geoip_module to not leak the file. If you are not using the geoip_module, remove it from your apache config. >>> Regards, >>> John Griffiths >>> >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list@... >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >> >> You can add custom policy to allow these by executing audit2allow -M mypol >> -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: Two AVCs by John Griffiths-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Daniel J Walsh wrote: On 09/23/2009 12:00 PM, John Griffiths wrote: Daniel J Walsh wrote: On 09/23/2009 07:47 AM, John Griffiths wrote: I am using selinux-policy-targeted-3.5.13-71.fc10.noarch on Fedora 10. I am getting these AVCs. They do not seem to inhibit functionality but still troublesome to get the selinux alerts all the time. Are these bugs in the policy or something that will not be addressed and I need to generate local policy? 1) SELinux is preventing postdrop (postfix_postdrop_t) "getattr" httpd_t. Raw Audit Messages : node=elijah.suretrak21.net type=AVC msg=audit(1253716264.867:65886): avc: denied { getattr } for pid=30094 comm="postdrop" path="pipe:[2618550]" dev=pipefs ino=2618550 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file node=elijah.suretrak21.net type=SYSCALL msg=audit(1253716264.867:65886): arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfc167c8 a2=94eff4 a3=2 items=0 ppid=30093 pid=30094 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:postfix_postdrop_t:s0 key=(null) This seems a little strange, is postfix being executed from apache? I would guess that postfix does not communicate with apache via fifo_file, so might be a leak. This happens in conjunction with email being sent by Bugzilla which is of course being served by apache. Is mail being sent successfully? I believe this is also a leaked file descriptor. Email is successfully sent. 2) SELinux is preventing sendmail (system_mail_t) "read" to /usr/share/GeoIP/GeoIP.dat (usr_t). Raw Audit Messages : node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc: denied { read } for pid=1311 comm="sendmail" path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806): arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08 a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null) This one looks like a leak unless something is actually trying to mail /usr/share/GeoIP/GeoIP.dat Apache has geoip_module configured, but that is the only place I have GeoIP configured. Well that GeoIP module is probably sending email or at least opening that file before httpd_t sends mail for another module, revealing the leak. You can add an allow rule using audit2allow, if this is probably not important data. Open a bugzilla with geoip_module to not leak the file. If you are not using the geoip_module, remove it from your apache config. Will open bugzilla. Regards, John Griffiths ------------------------------------------------------------------------ -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list You can add custom policy to allow these by executing audit2allow -M mypol -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Two AVCs

Two AVCs

Re: Two AVCs

Re: Two AVCs

Re: Two AVCs

Re: Two AVCs

Re: Two AVCs

Re: Two AVCs