How to solve these audit messages

Daniel J Walsh dwalsh at redhat.com
Tue Nov 6 15:22:26 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ali Nebi wrote:
> Hi, 
> 
> i want to ask about 2 strange audit messages. The messages are these:
> 
> Nov  5 14:14:24 asgard kernel: audit(1194268464.097:309): avc:  denied
> { search } for  pid=22933 comm="sh" name="src" dev=dm-0 ino=5244065
> scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:src_t:s0
> tclass=dir
> Nov  5 14:14:24 asgard kernel: audit(1194268464.124:310): avc:  denied
> { getattr } for  pid=22933 comm="sh" name="SPECS" dev=dm-0 ino=5865755
> scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:src_t:s0
> tclass=dir
> 
> i don't know what is the reason sh to  try to make something in /usr/src
> and /usr/src/redhat/SPEC
> 
> we have not set some script that to have task to do something in these
> directories. is it possible to be some hack attack ? also i see that 
> scontext is this: scontext=root:system_r:httpd_t:s0 is it possible to
> understand where is the file that try to use "sh" ?
> 
> Also the audits:
> 
> Nov  5 12:03:07 casamerica kernel: audit(1194260587.185:40): avc:
> denied  { read write } for  pid=26690 comm="listinfo" name="" dev=sockfs
> ino=1414447 scontext=system_u:system_r:mailman_cgi_t:s0
> tcontext=system_u:system_r:httpd_t:s0 tclass=unix_stream_socket
> 
> i have some similar messages related with mailmain, what is the best
> that i can do to solve these messages?
> 
> Thanks in advanced!
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

I guess that you are running some mod_(php, perl)? script that is trying
to look at /usr/src/redhat/SPEC.  This is all the info we get from the
kernel.  I don't know if this is a problem or not.

The other avc is a leaked file descriptor in httpd and could be
dontaudited, in mailmail_cgi_t.  It can safely be ignored.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHMIayrlYvE4MpobMRAvJqAKCpxJhX79gb5AyWWaMDarWDIdFmXwCg4mj8
uV8jei4Xzvv8ybkhX5g1OgA=
=NaRf
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list