Questions about some selinux audit messages

Daniel J Walsh dwalsh at redhat.com
Thu Aug 23 13:42:48 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ali Nebi wrote:
> Hi everyone,
> 
> i get in all servers these audit messages:
> 
> Aug 21 14:17:34 casamerica kernel: audit(1187698654.515:356):avc:denied
> { append } for  pid=9416 comm="sendmail" name="error.log" dev=dm-0
> ino=16416800 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
> 
> Aug 21 14:17:34 casamerica kernel: audit(1187698654.515:357):avc:denied
> { read write } for  pid=9416 comm="sendmail" name="[eventpoll]"
> dev=anon_inodefs ino=393 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
> 
> Aug 21 14:17:34 casamerica kernel: audit(1187698654.599:358):avc:denied
> { append } for  pid=9417 comm="postdrop" name="error_log" dev=dm-0
> ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
> tcontext=root:object_r:httpd_log_t:s0 tclass=file
> 
> Aug 21 14:17:34 casamerica kernel: audit(1187698654.603:359):avc:denied
> { getattr } for  pid=9417 comm="postdrop" name="error_log" dev=dm-0
> ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
> tcontext=root:object_r:httpd_log_t:s0 tclass=file
> 
> Aug 21 14:26:58 casamerica kernel: audit(1187699218.244:360):avc:denied
> { append } for  pid=9448 comm="sendmail" name="error.log" dev=dm-0
> ino=16416800 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
> 
> Aug 21 14:26:58 casamerica kernel: audit(1187699218.244:361):avc:denied
> { read write } for  pid=9448 comm="sendmail" name="[eventpoll]"
> dev=anon_inodefs ino=393 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
> 
> Aug 21 14:26:58 casamerica kernel: audit(1187699218.253:362):avc:denied
> { append } for  pid=9449 comm="postdrop" name="error_log" dev=dm-0
> ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
> tcontext=root:object_r:httpd_log_t:s0 tclass=file
> 
> Aug 21 14:26:58 casamerica kernel: audit(1187699218.256:363):avc:denied
> { getattr } for  pid=9449 comm="postdrop" name="error_log" dev=dm-0
> ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
> tcontext=root:object_r:httpd_log_t:s0 tclass=file
> 
> Aug 21 15:36:34 w3host kernel: audit(1187703394.426:423): avc:denied
> { name_connect } for  pid=32151 comm="httpd" dest=5432
> scontext=user_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
> 
> so, these are the messages. 
> 
> We have installed Fedora 6, x86_64
> My questions are these:
> 
> 1. Why postdrop try to read, append, get atribute the apache logs. Is
> can be because we have installed Logwatch program. We get these in all
> servers.
This probably means the logwatch program is leaking file descriptors
when executing postfix.  Logwatch has an open file descriptor to the
error.log file with append access.  When it executes postfix, it does
not automatically close the file descriptor,  so SELinux checks the
access to the open file descriptor when starting postfix,  denies it,
closes it, reports the avc and continues executing the program.
> 
> 2. I have to allow postdrop to make what is needed with the logs, this
> is secure and it will not be problem for something?
> 
No you probably want to dontaudit this, and get logwatch developers to
fix their code.
> 3. For the last one, httpd, try to connect to postgresql socket, why
> this happen and is it secure?
> 
> 4. I have to give this permission of httpd to connect to postgresql.
> 
> We have set postgresql to work on localhost and not to execute queries
> from remote host and sites.
There is a boolean for this. httpd_can_network_connect_db
setsebool -P httpd_can_network_connect_db=1
> 
> I will wait for your opinions, thanks in advanced.
> 
> Regards, Ali Nebi!
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGzY7XrlYvE4MpobMRAiFUAJ0RRYY/ND5RqWBCG0CSh8lO6ejiXQCdElyZ
S0H0qGQW/jT7SY5LBKYaRMI=
=+nx1
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list