On 02/26/2010 05:57 AM, Paul Howarth wrote: > On 26/02/10 10:39, Richard Chapman wrote: > >> I have seen this denial twice in the last few days - and I think it is >> new to my system. I'm not sure whether recent updates have caused it - >> or whether my system has entered a new phase for some other reason. I >> can't think of any obvious changes I have made. Any suggestions would be >> welcome: >> >> Summary >> SELinux is preventing postdrop (postfix_postdrop_t) "getattr" to >> /var/log/httpd/error_log (httpd_log_t). >> Detailed Description >> [SELinux is in permissive mode, the operation would have been denied but >> was permitted due to permissive mode.] >> >> SELinux denied access requested by postdrop. It is not expected that >> this access is required by postdrop and this access may signal an >> intrusion attempt. It is also possible that the specific version or >> configuration of the application is causing it to require additional >> access. >> >> Allowing Access >> Sometimes labeling problems can cause SELinux denials. You could try to >> restore the default system file context for /var/log/httpd/error_log, >> >> restorecon -v '/var/log/httpd/error_log' >> >> If this does not work, there is currently no automatic way to allow this >> access. Instead, you can generate a local policy module to allow this >> access - see FAQ >> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can >> disable SELinux protection altogether. Disabling SELinux protection is >> not recommended. Please file a bug report >> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package. >> >> Additional Information >> >> Source Context: system_u:system_r:postfix_postdrop_t >> Target Context: system_u:object_r:httpd_log_t >> Target Objects: /var/log/httpd/error_log [ file ] >> Source: postdrop >> Source Path: /usr/sbin/postdrop >> Port: <Unknown> >> Host: C5.aardvark.com.au >> Source RPM Packages: postfix-2.3.3-2.1.el5_2 >> Target RPM Packages: >> Policy RPM: selinux-policy-2.4.6-255.el5_4.4 >> Selinux Enabled: True >> Policy Type: targeted >> MLS Enabled: True >> Enforcing Mode: Permissive >> Plugin Name: catchall_file >> Host Name: C5.aardvark.com.au >> Platform: Linux C5.aardvark.com.au 2.6.18-164.11.1.el5 #1 SMP Wed Jan >> 20 07:32:21 EST 2010 x86_64 x86_64 >> Alert Count: 4 >> First Seen: Wed Jan 13 16:49:57 2010 >> Last Seen: Wed Feb 24 11:42:04 2010 >> Local ID: f532f021-830c-4b05-8175-8a6887dd132b >> Line Numbers: >> >> Raw Audit Messages : >> >> host=C5.aardvark.com.au type=AVC msg=audit(1266982924.689:25356): avc: >> denied { getattr } for pid=14542 comm="postdrop" >> path="/var/log/httpd/error_log" dev=dm-0 ino=29360282 >> scontext=system_u:system_r:postfix_postdrop_t:s0 >> tcontext=system_u:object_r:httpd_log_t:s0 tclass=file >> host=C5.aardvark.com.au type=SYSCALL msg=audit(1266982924.689:25356): >> arch=c000003e syscall=5 success=yes exit=0 a0=2 a1=7fff9da1f600 >> a2=7fff9da1f600 a3=0 items=0 ppid=14541 pid=14542 auid=4294967295 uid=48 >> gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) >> ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" >> subj=system_u:system_r:postfix_postdrop_t:s0 key=(null) >> > I would guess that this is a leaked file descriptor from httpd and the > AVC is triggered when a webapp you're running on this system sends some > mail. > > Paul. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Yes I agree. Easiest thing to get rid of it, is to execute # grep postfix /var/log/audit/audit.log | audit2allow -DM mypostfix # semodule -i mypostfix.pp Which will build a dontaudit policy and tell SELinux to stop bothering you. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
