[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Two AVCs

Daniel J Walsh wrote:
On 09/23/2009 07:47 AM, John Griffiths wrote:
I am using selinux-policy-targeted-3.5.13-71.fc10.noarch on Fedora 10. I am 
getting these AVCs. They do not seem to inhibit functionality but still 
troublesome to get the selinux alerts all the time. Are these bugs in the policy 
or something that will not be addressed and I need to generate local policy?

    1) SELinux is preventing postdrop (postfix_postdrop_t) "getattr" httpd_t.

    Raw Audit Messages :

    node=elijah.suretrak21.net type=AVC msg=audit(1253716264.867:65886): avc:
    denied { getattr } for pid=30094 comm="postdrop" path="pipe:[2618550]"
    dev=pipefs ino=2618550 scontext=system_u:system_r:postfix_postdrop_t:s0
    tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file

    node=elijah.suretrak21.net type=SYSCALL msg=audit(1253716264.867:65886):
    arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfc167c8 a2=94eff4
    a3=2 items=0 ppid=30093 pid=30094 auid=4294967295 uid=48 gid=48 euid=48
    suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295
    comm="postdrop" exe="/usr/sbin/postdrop"
    subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)
This seems a little strange, is postfix being executed from apache?  I would guess that postfix does not communicate with apache via fifo_file, so might be a leak.
This happens in conjunction with email being sent by Bugzilla which is of course being served by apache.
    2) SELinux is preventing sendmail (system_mail_t) "read" to
    /usr/share/GeoIP/GeoIP.dat (usr_t).

    Raw Audit Messages :

    node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc:
    denied { read } for pid=1311 comm="sendmail"
    path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651
    tcontext=system_u:object_r:usr_t:s0 tclass=file

    node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806):
    arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08
    a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48
    suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
    comm="sendmail" exe="/usr/sbin/sendmail.postfix"
    subj=system_u:system_r:system_mail_t:s0 key=(null)

This one looks like a leak unless something is actually trying to mail /usr/share/GeoIP/GeoIP.dat

Apache has geoip_module configured, but that is the only place I have GeoIP configured.

John Griffiths


fedora-selinux-list mailing list
fedora-selinux-list redhat com

You can add custom policy to allow these by executing audit2allow -M mypol

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]