Re: Two AVCs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/23/2009 12:00 PM, John Griffiths wrote:
> 
> 
> Daniel J Walsh wrote:
>> On 09/23/2009 07:47 AM, John Griffiths wrote:
>>    
>>> I am using selinux-policy-targeted-3.5.13-71.fc10.noarch on Fedora 10. I am
>>> getting these AVCs. They do not seem to inhibit functionality but still
>>> troublesome to get the selinux alerts all the time. Are these bugs in the policy
>>> or something that will not be addressed and I need to generate local policy?
>>>
>>>      1) SELinux is preventing postdrop (postfix_postdrop_t) "getattr" httpd_t.
>>>
>>>      Raw Audit Messages :
>>>
>>>      node=elijah.suretrak21.net type=AVC msg=audit(1253716264.867:65886): avc:
>>>      denied { getattr } for pid=30094 comm="postdrop" path="pipe:[2618550]"
>>>      dev=pipefs ino=2618550 scontext=system_u:system_r:postfix_postdrop_t:s0
>>>      tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file
>>>
>>>      node=elijah.suretrak21.net type=SYSCALL msg=audit(1253716264.867:65886):
>>>      arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfc167c8 a2=94eff4
>>>      a3=2 items=0 ppid=30093 pid=30094 auid=4294967295 uid=48 gid=48 euid=48
>>>      suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295
>>>      comm="postdrop" exe="/usr/sbin/postdrop"
>>>      subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)
>>>      
>> This seems a little strange, is postfix being executed from apache?  I would guess that postfix does not communicate with apache via fifo_file, so might be a leak.
>>    
> This happens in conjunction with email being sent by Bugzilla which is of course 
> being served by apache.
Is mail being sent successfully?  I believe this is also a leaked file descriptor.
>>>      2) SELinux is preventing sendmail (system_mail_t) 
"read" to
>>>      /usr/share/GeoIP/GeoIP.dat (usr_t).
>>>
>>>      Raw Audit Messages :
>>>
>>>      node=elijah.suretrak21.net type=AVC msg=audit(1253643380.763:60806): avc:
>>>      denied { read } for pid=1311 comm="sendmail"
>>>      path="/usr/share/GeoIP/GeoIP.dat" dev=dm-0 ino=663651
>>>      scontext=system_u:system_r:system_mail_t:s0
>>>      tcontext=system_u:object_r:usr_t:s0 tclass=file
>>>
>>>      node=elijah.suretrak21.net type=SYSCALL msg=audit(1253643380.763:60806):
>>>      arch=40000003 syscall=11 success=yes exit=0 a0=9ad05d0 a1=9acfd18 a2=9acfb08
>>>      a3=0 items=0 ppid=14784 pid=1311 auid=4294967295 uid=48 gid=48 euid=48
>>>      suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>>      comm="sendmail" exe="/usr/sbin/sendmail.postfix"
>>>      subj=system_u:system_r:system_mail_t:s0 key=(null)
>>>
>>>      
>> This one looks like a leak unless something is actually trying to mail /usr/share/GeoIP/GeoIP.dat
>>
>>    
> Apache has geoip_module configured, but that is the only place I have GeoIP 
> configured.
Well that GeoIP module is probably sending email or at least opening that file before httpd_t sends mail for another module, revealing the leak.  You can add an allow rule using audit2allow, if this is probably not important data.  Open a bugzilla with geoip_module to not leak the file.  If you are not using the geoip_module, remove it from your apache config.
>>> Regards,
>>> John Griffiths
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@xxxxxxxxxx
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>      
>>
>> You can add custom policy to allow these by executing audit2allow -M mypol
>>    

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux