Art Age Software
2008-Aug-23 17:44 UTC
[CentOS] CentOS 5.2 + SELinux + Apache/PHP + Postfix
Hi All, I'm running CentOS 5.2 with SELinux in enforcing mode (default targeted policy). The server hosts a PHP web app that sends mail. I'm getting the following errors (see end of message) in my selinux audit.log file every time the app sends an email. The email always seems to get sent successfully, despite the log messages. However, they do concern me and I would like to understand what they mean and why they occur. The first set of messages seems to relate to postfix being denied attempts to create/read/write a temporary file in Apache's context. In the second set, it seems to postdrop is attempting to do something with apache's error log file. Can anyone help make sense of this? I know I can create policy rules to allow these actions. But I don't want to do that without understanding the implications. For reference, audit2allow suggests the following policy additions: #============= postfix_postdrop_t =============allow postfix_postdrop_t httpd_log_t:file getattr; #============= system_mail_t =============allow system_mail_t httpd_t:file read; allow system_mail_t httpd_tmp_t:file { read write }; Any help greatly appreciated. Thanks! Sam ------------------------------------------------------------------------------------------- type=AVC msg=audit(1219458556.400:16996): avc: denied { read write } for pid=xxxxx comm="sendmail" path=2F746D702F2E7863616368652E302E302E313236373935383634322E6C6F636B202864656C6574656429 dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file type=AVC msg=audit(1219458556.400:16996): avc: denied { read write } for pid=xxxxx comm="sendmail" path=2F746D702F2E7863616368652E302E312E3534383639343233352E6C6F636B202864656C6574656429 dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file type=AVC msg=audit(1219458556.400:16996): avc: denied { read write } for pid=xxxxx comm="sendmail" path=2F746D702F2E7863616368652E302E322E313236323334313837332E6C6F636B202864656C6574656429 dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file type=AVC msg=audit(1219458556.400:16996): avc: denied { read write } for pid=xxxxx comm="sendmail" path=2F746D702F2E7863616368652E302E332E32313137303238332E6C6F636B202864656C6574656429 dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file type=AVC msg=audit(1219458556.400:16996): avc: denied { read } for pid=xxxxx comm="sendmail" path="eventpoll:[xxxxx]" dev=eventpollfs ino=xxxxx scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file type=SYSCALL msg=audit(1219458556.400:16996): arch=c000003e syscall=59 success=yes exit=0 a0=e04360 a1=e043e0 a2=e031a0 a3=3 items=0 ppid=xxxxx pid=xxxxx auid=xxx uid=xxx gid=xxx euid=xxx suid=xxx fsuid=xxx egid=xxx sgid=xxx fsgid=xxx tty=(none) ses=1363 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1219458556.410:16997): avc: denied { getattr } for pid=xxxxx comm="postdrop" path="/var/log/httpd/error_log" dev=dm-4 ino=xxxxx scontext=user_u:system_r:postfix_postdrop_t:s0 tcontext=user_u:object_r:httpd_log_t:s0 tclass=file type=SYSCALL msg=audit(1219458556.410:16997): arch=c000003e syscall=5 success=no exit=-13 a0=2 a1=7fffd0dbfa70 a2=7fffd0dbfa70 a3=0 items=0 ppid=xxxxx pid=xxxxx auid=xxx uid=xxx gid=xxx euid=xxx suid=xxx fsuid=xxx egid=xxx sgid=xxx fsgid=xxx tty=(none) ses=1363 comm="postdrop" exe="/usr/sbin/postdrop" subj=user_u:system_r:postfix_postdrop_t:s0 key=(null) -------------------------------------------------------------------------------------------
> I'm running CentOS 5.2 with SELinux in enforcing mode (default > targeted policy). The server hosts a PHP web app that sends mail. I'm > getting the following errors (see end of message) in my selinux > audit.log file every time the app sends an email. The email always > seems to get sent successfully, despite the log messages. However, > they do concern me and I would like to understand what they mean and > why they occur. > > The first set of messages seems to relate to postfix being denied > attempts to create/read/write a temporary file in Apache's context. In > the second set, it seems to postdrop is attempting to do something > with apache's error log file. > > Can anyone help make sense of this? I know I can create policy rules > to allow these actions. But I don't want to do that without > understanding the implications. For reference, audit2allow suggests > the following policy additions: > > #============= postfix_postdrop_t =============> allow postfix_postdrop_t httpd_log_t:file getattr; > > #============= system_mail_t =============> allow system_mail_t httpd_t:file read; > allow system_mail_t httpd_tmp_t:file { read write }; > > Any help greatly appreciated.If these denials do not interfere with the normal workflow of the application you may add dontaudit rules to your local policy. The unnecessary access will still be denied but you won't get these annoying messages in the logs. There's a plenty of dontaudit rules in the base policy shipped with centos. If you're curious you may install /usr/share/selinux/targeted/enableaudit.pp which is a base policy with dontaudit rules turned off. This short article by Dan Walsh might be useful: http://danwalsh.livejournal.com/11673.html HTH
Art Age Software
2008-Aug-25 19:46 UTC
[CentOS] Re: CentOS 5.2 + SELinux + Apache/PHP + Postfix
Thanks - appreciate the info. Still, I would like to understand why these denials are occurring during what should be a pretty typical use case: namely sending emails from a web app. Does anyone have any insight into this?>If these denials do not interfere with the normal workflow >of the application you may add dontaudit rules to your local policy. >The unnecessary access will still be denied but you won't get >these annoying messages in the logs. > >There's a plenty of dontaudit rules in the base policy >shipped with centos. If you're curious you may install >/usr/share/selinux/targeted/enableaudit.pp >which is a base policy with dontaudit rules turned off.