On 26/02/10 10:39, Richard Chapman wrote: > I have seen this denial twice in the last few days - and I think it is > new to my system. I'm not sure whether recent updates have caused it - > or whether my system has entered a new phase for some other reason. I > can't think of any obvious changes I have made. Any suggestions would be > welcome: > > Summary > SELinux is preventing postdrop (postfix_postdrop_t) "getattr" to > /var/log/httpd/error_log (httpd_log_t). > Detailed Description > [SELinux is in permissive mode, the operation would have been denied but > was permitted due to permissive mode.] > > SELinux denied access requested by postdrop. It is not expected that > this access is required by postdrop and this access may signal an > intrusion attempt. It is also possible that the specific version or > configuration of the application is causing it to require additional > access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for /var/log/httpd/error_log, > > restorecon -v '/var/log/httpd/error_log' > > If this does not work, there is currently no automatic way to allow this > access. Instead, you can generate a local policy module to allow this > access - see FAQ > <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can > disable SELinux protection altogether. Disabling SELinux protection is > not recommended. Please file a bug report > <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package. > > Additional Information > > Source Context: system_u:system_r:postfix_postdrop_t > Target Context: system_u:object_r:httpd_log_t > Target Objects: /var/log/httpd/error_log [ file ] > Source: postdrop > Source Path: /usr/sbin/postdrop > Port: <Unknown> > Host: C5.aardvark.com.au > Source RPM Packages: postfix-2.3.3-2.1.el5_2 > Target RPM Packages: > Policy RPM: selinux-policy-2.4.6-255.el5_4.4 > Selinux Enabled: True > Policy Type: targeted > MLS Enabled: True > Enforcing Mode: Permissive > Plugin Name: catchall_file > Host Name: C5.aardvark.com.au > Platform: Linux C5.aardvark.com.au 2.6.18-164.11.1.el5 #1 SMP Wed Jan > 20 07:32:21 EST 2010 x86_64 x86_64 > Alert Count: 4 > First Seen: Wed Jan 13 16:49:57 2010 > Last Seen: Wed Feb 24 11:42:04 2010 > Local ID: f532f021-830c-4b05-8175-8a6887dd132b > Line Numbers: > > Raw Audit Messages : > > host=C5.aardvark.com.au type=AVC msg=audit(1266982924.689:25356): avc: > denied { getattr } for pid=14542 comm="postdrop" > path="/var/log/httpd/error_log" dev=dm-0 ino=29360282 > scontext=system_u:system_r:postfix_postdrop_t:s0 > tcontext=system_u:object_r:httpd_log_t:s0 tclass=file > host=C5.aardvark.com.au type=SYSCALL msg=audit(1266982924.689:25356): > arch=c000003e syscall=5 success=yes exit=0 a0=2 a1=7fff9da1f600 > a2=7fff9da1f600 a3=0 items=0 ppid=14541 pid=14542 auid=4294967295 uid=48 > gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) > ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" > subj=system_u:system_r:postfix_postdrop_t:s0 key=(null) I would guess that this is a leaked file descriptor from httpd and the AVC is triggered when a webapp you're running on this system sends some mail. Paul. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
