On 04/10/2009 09:27 AM, Craig White wrote:
On Fri, 2009-04-10 at 07:15 -0400, Daniel J Walsh wrote:
On 04/09/2009 11:44 AM, Craig White wrote:
This is from a newly setup CentOS 5.3 server...and I definitely don't
understand what it's wanting to make it happy.
# sealert -l 6208be6e-3fb4-4748-80e8-769687066b83
Summary:
SELinux is preventing postfix-script (postfix_master_t) "ioctl" to pipe
(crond_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]
SELinux denied access requested by postfix-script. It is not expected
that this access is required by postfix-script and this access may
signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require
additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context user_u:system_r:postfix_master_t
Target Context
system_u:system_r:crond_t:SystemLow-SystemHigh
Target Objects pipe [ fifo_file ]
Source postfix-script
Source Path /bin/bash
Port<Unknown>
Host srv1.azapple.com
Source RPM Packages bash-3.2-24.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name srv1.azapple.com
Platform Linux srv1.azapple.com 2.6.18-128.1.1.el5
#1 SMP
Wed Mar 25 18:15:30 EDT 2009 i686 i686
Alert Count 8
First Seen Thu Apr 2 04:34:40 2009
Last Seen Thu Apr 9 04:17:20 2009
Local ID 6208be6e-3fb4-4748-80e8-769687066b83
Line Numbers
Raw Audit Messages
host=srv1.azapple.com type=AVC msg=audit(1239275840.489:3152): avc:
denied { ioctl } for pid=11778 comm="postfix-script"
path="pipe:[1634010]" dev=pipefs ino=1634010
scontext=user_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
host=srv1.azapple.com type=SYSCALL msg=audit(1239275840.489:3152):
arch=40000003 syscall=54 success=no exit=-22 a0=0 a1=5401 a2=bfc30d40
a3=bfc30e4c items=0 ppid=11761 pid=11778 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=212
comm="postfix-script" exe="/bin/bash"
subj=user_u:system_r:postfix_master_t:s0 key=(null)
This look like postfix trying to communicate with the pipe from cron
(stdout). Current policy allows read/write/getattr but no ioctl.
You can add this access via
# grep postfix /var/log/audit/audit.log | audit2allow -mypostfix
# semodule -i mypostfix.pp
I will add this fix to RHEL5.4 policy, Preview should be available on
http://people.redhat.com/dwalsh/SELinux/RHEL5
selinux-policy-2.4.6-223.el5
----
Thanks, will do.
I take it then that the admonition to file a bugzilla report is not
necessary?
Craig
Yes don't bother, I will fix it.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
