On Fri, 2009-04-10 at 07:15 -0400, Daniel J Walsh wrote: > On 04/09/2009 11:44 AM, Craig White wrote: > > This is from a newly setup CentOS 5.3 server...and I definitely don't > > understand what it's wanting to make it happy. > > > > # sealert -l 6208be6e-3fb4-4748-80e8-769687066b83 > > > > Summary: > > > > SELinux is preventing postfix-script (postfix_master_t) "ioctl" to pipe > > (crond_t). > > > > Detailed Description: > > > > [SELinux is in permissive mode, the operation would have been denied but > > was permitted due to permissive mode.] > > > > SELinux denied access requested by postfix-script. It is not expected > > that this access is required by postfix-script and this access may > > signal an intrusion attempt. It is also possible that the specific > > version or configuration of the application is causing it to require > > additional access. > > > > Allowing Access: > > > > You can generate a local policy module to allow this access - see FAQ > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > > disable SELinux protection altogether. Disabling SELinux protection is > > not recommended. > > Please file a bug report > > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > against this package. > > > > Additional Information: > > > > Source Context user_u:system_r:postfix_master_t > > Target Context > > system_u:system_r:crond_t:SystemLow-SystemHigh > > Target Objects pipe [ fifo_file ] > > Source postfix-script > > Source Path /bin/bash > > Port<Unknown> > > Host srv1.azapple.com > > Source RPM Packages bash-3.2-24.el5 > > Target RPM Packages > > Policy RPM selinux-policy-2.4.6-203.el5 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Permissive > > Plugin Name catchall > > Host Name srv1.azapple.com > > Platform Linux srv1.azapple.com 2.6.18-128.1.1.el5 > > #1 SMP > > Wed Mar 25 18:15:30 EDT 2009 i686 i686 > > Alert Count 8 > > First Seen Thu Apr 2 04:34:40 2009 > > Last Seen Thu Apr 9 04:17:20 2009 > > Local ID 6208be6e-3fb4-4748-80e8-769687066b83 > > Line Numbers > > > > Raw Audit Messages > > > > host=srv1.azapple.com type=AVC msg=audit(1239275840.489:3152): avc: > > denied { ioctl } for pid=11778 comm="postfix-script" > > path="pipe:[1634010]" dev=pipefs ino=1634010 > > scontext=user_u:system_r:postfix_master_t:s0 > > tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file > > > > host=srv1.azapple.com type=SYSCALL msg=audit(1239275840.489:3152): > > arch=40000003 syscall=54 success=no exit=-22 a0=0 a1=5401 a2=bfc30d40 > > a3=bfc30e4c items=0 ppid=11761 pid=11778 auid=0 uid=0 gid=0 euid=0 > > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=212 > > comm="postfix-script" exe="/bin/bash" > > subj=user_u:system_r:postfix_master_t:s0 key=(null) > > > > > > > This look like postfix trying to communicate with the pipe from cron > (stdout). Current policy allows read/write/getattr but no ioctl. > > You can add this access via > # grep postfix /var/log/audit/audit.log | audit2allow -mypostfix > # semodule -i mypostfix.pp > > I will add this fix to RHEL5.4 policy, Preview should be available on > > http://people.redhat.com/dwalsh/SELinux/RHEL5 > > selinux-policy-2.4.6-223.el5 ---- Thanks, will do. I take it then that the admonition to file a bugzilla report is not necessary? Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
