Two AVCs
Daniel J Walsh
dwalsh at redhat.com
Wed Sep 23 14:57:03 UTC 2009
On 09/23/2009 07:47 AM, John Griffiths wrote:
> I am using selinux-policy-targeted-3.5.13-71.fc10.noarch on Fedora 10. I am
> getting these AVCs. They do not seem to inhibit functionality but still
> troublesome to get the selinux alerts all the time. Are these bugs in the policy
> or something that will not be addressed and I need to generate local policy?
>
> 1) SELinux is preventing postdrop (postfix_postdrop_t) "getattr" httpd_t.
>
> Raw Audit Messages :
>
> node=elijah.suretrak21.net type=AVC msg=audit(1253716264.867:65886): avc:
> denied { getattr } for pid=30094 comm="postdrop" path="pipe:[2618550]"
> dev=pipefs ino=2618550 scontext=system_u:system_r:postfix_postdrop_t:s0
> tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file
>
> node=elijah.suretrak21.net type=SYSCALL msg=audit(1253716264.867:65886):
> arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfc167c8 a2=94eff4
> a3=2 items=0 ppid=30093 pid=30094 auid=4294967295 uid=48 gid=48 euid=48
> suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295
> comm="postdrop" exe="/usr/sbin/postdrop"
> subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)
This seems a little strange, is postfix being executed from apache? I would guess that postfix does not communicate with apache via fifo_file, so might be a leak.
>
> 2) SELinux is preventing sendmail (system_mail_t) "read" to
> /usr/share/GeoIP/GeoIP.dat (usr_t).
>
> Raw Audit Messages :
>
> node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc:
> denied { read } for pid=1311 comm="sendmail"
> path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651
> scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806):
> arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08
> a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48
> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="sendmail" exe="/usr/sbin/sendmail.postfix"
> subj=system_u:system_r:system_mail_t:s0 key=(null)
>
This one looks like a leak unless something is actually trying to mail /usr/share/GeoIP/GeoIP.dat
> Regards,
> John Griffiths
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can add custom policy to allow these by executing audit2allow -M mypol
More information about the fedora-selinux-list
mailing list