Two AVCs

Daniel J Walsh dwalsh at redhat.com
Wed Sep 23 14:57:03 UTC 2009 

On 09/23/2009 07:47 AM, John Griffiths wrote:
> I am using selinux-policy-targeted-3.5.13-71.fc10.noarch on Fedora 10. I am 
> getting these AVCs. They do not seem to inhibit functionality but still 
> troublesome to get the selinux alerts all the time. Are these bugs in the policy 
> or something that will not be addressed and I need to generate local policy?
> 
>     1) SELinux is preventing postdrop (postfix_postdrop_t) "getattr" httpd_t.
> 
>     Raw Audit Messages :
> 
>     node=elijah.suretrak21.net type=AVC msg=audit(1253716264.867:65886): avc:
>     denied { getattr } for pid=30094 comm="postdrop" path="pipe:[2618550]"
>     dev=pipefs ino=2618550 scontext=system_u:system_r:postfix_postdrop_t:s0
>     tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file
> 
>     node=elijah.suretrak21.net type=SYSCALL msg=audit(1253716264.867:65886):
>     arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfc167c8 a2=94eff4
>     a3=2 items=0 ppid=30093 pid=30094 auid=4294967295 uid=48 gid=48 euid=48
>     suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295
>     comm="postdrop" exe="/usr/sbin/postdrop"
>     subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)
This seems a little strange, is postfix being executed from apache?  I would guess that postfix does not communicate with apache via fifo_file, so might be a leak.
> 
>     2) SELinux is preventing sendmail (system_mail_t) "read" to
>     /usr/share/GeoIP/GeoIP.dat (usr_t).
> 
>     Raw Audit Messages :
> 
>     node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc:
>     denied { read } for pid=1311 comm="sendmail"
>     path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651
>     scontext=system_u:system_r:system_mail_t:s0
>     tcontext=system_u:object_r:usr_t:s0 tclass=file
> 
>     node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806):
>     arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08
>     a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48
>     suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>     comm="sendmail" exe="/usr/sbin/sendmail.postfix"
>     subj=system_u:system_r:system_mail_t:s0 key=(null)
> 
This one looks like a leak unless something is actually trying to mail /usr/share/GeoIP/GeoIP.dat

> Regards,
> John Griffiths
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You can add custom policy to allow these by executing audit2allow -M mypol

More information about the fedora-selinux-list mailing list