Art Age Software
2008-Aug-23 17:44 UTC
[CentOS] CentOS 5.2 + SELinux + Apache/PHP + Postfix
Hi All,
I'm running CentOS 5.2 with SELinux in enforcing mode (default
targeted policy). The server hosts a PHP web app that sends mail. I'm
getting the following errors (see end of message) in my selinux
audit.log file every time the app sends an email. The email always
seems to get sent successfully, despite the log messages. However,
they do concern me and I would like to understand what they mean and
why they occur.
The first set of messages seems to relate to postfix being denied
attempts to create/read/write a temporary file in Apache's context. In
the second set, it seems to postdrop is attempting to do something
with apache's error log file.
Can anyone help make sense of this? I know I can create policy rules
to allow these actions. But I don't want to do that without
understanding the implications. For reference, audit2allow suggests
the following policy additions:
#============= postfix_postdrop_t =============allow postfix_postdrop_t
httpd_log_t:file getattr;
#============= system_mail_t =============allow system_mail_t httpd_t:file read;
allow system_mail_t httpd_tmp_t:file { read write };
Any help greatly appreciated.
Thanks!
Sam
-------------------------------------------------------------------------------------------
type=AVC msg=audit(1219458556.400:16996): avc: denied { read write }
for pid=xxxxx comm="sendmail"
path=2F746D702F2E7863616368652E302E302E313236373935383634322E6C6F636B202864656C6574656429
dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
type=AVC msg=audit(1219458556.400:16996): avc: denied { read write }
for pid=xxxxx comm="sendmail"
path=2F746D702F2E7863616368652E302E312E3534383639343233352E6C6F636B202864656C6574656429
dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
type=AVC msg=audit(1219458556.400:16996): avc: denied { read write }
for pid=xxxxx comm="sendmail"
path=2F746D702F2E7863616368652E302E322E313236323334313837332E6C6F636B202864656C6574656429
dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
type=AVC msg=audit(1219458556.400:16996): avc: denied { read write }
for pid=xxxxx comm="sendmail"
path=2F746D702F2E7863616368652E302E332E32313137303238332E6C6F636B202864656C6574656429
dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
type=AVC msg=audit(1219458556.400:16996): avc: denied { read } for
pid=xxxxx comm="sendmail" path="eventpoll:[xxxxx]"
dev=eventpollfs
ino=xxxxx scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=file
type=SYSCALL msg=audit(1219458556.400:16996): arch=c000003e syscall=59
success=yes exit=0 a0=e04360 a1=e043e0 a2=e031a0 a3=3 items=0
ppid=xxxxx pid=xxxxx auid=xxx uid=xxx gid=xxx euid=xxx suid=xxx
fsuid=xxx egid=xxx sgid=xxx fsgid=xxx tty=(none) ses=1363
comm="sendmail" exe="/usr/sbin/sendmail.postfix"
subj=user_u:system_r:system_mail_t:s0 key=(null)
type=AVC msg=audit(1219458556.410:16997): avc: denied { getattr }
for pid=xxxxx comm="postdrop"
path="/var/log/httpd/error_log"
dev=dm-4 ino=xxxxx scontext=user_u:system_r:postfix_postdrop_t:s0
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1219458556.410:16997): arch=c000003e syscall=5
success=no exit=-13 a0=2 a1=7fffd0dbfa70 a2=7fffd0dbfa70 a3=0 items=0
ppid=xxxxx pid=xxxxx auid=xxx uid=xxx gid=xxx euid=xxx suid=xxx
fsuid=xxx egid=xxx sgid=xxx fsgid=xxx tty=(none) ses=1363
comm="postdrop" exe="/usr/sbin/postdrop"
subj=user_u:system_r:postfix_postdrop_t:s0 key=(null)
-------------------------------------------------------------------------------------------
> I'm running CentOS 5.2 with SELinux in enforcing mode (default > targeted policy). The server hosts a PHP web app that sends mail. I'm > getting the following errors (see end of message) in my selinux > audit.log file every time the app sends an email. The email always > seems to get sent successfully, despite the log messages. However, > they do concern me and I would like to understand what they mean and > why they occur. > > The first set of messages seems to relate to postfix being denied > attempts to create/read/write a temporary file in Apache's context. In > the second set, it seems to postdrop is attempting to do something > with apache's error log file. > > Can anyone help make sense of this? I know I can create policy rules > to allow these actions. But I don't want to do that without > understanding the implications. For reference, audit2allow suggests > the following policy additions: > > #============= postfix_postdrop_t =============> allow postfix_postdrop_t httpd_log_t:file getattr; > > #============= system_mail_t =============> allow system_mail_t httpd_t:file read; > allow system_mail_t httpd_tmp_t:file { read write }; > > Any help greatly appreciated.If these denials do not interfere with the normal workflow of the application you may add dontaudit rules to your local policy. The unnecessary access will still be denied but you won't get these annoying messages in the logs. There's a plenty of dontaudit rules in the base policy shipped with centos. If you're curious you may install /usr/share/selinux/targeted/enableaudit.pp which is a base policy with dontaudit rules turned off. This short article by Dan Walsh might be useful: http://danwalsh.livejournal.com/11673.html HTH
Art Age Software
2008-Aug-25 19:46 UTC
[CentOS] Re: CentOS 5.2 + SELinux + Apache/PHP + Postfix
Thanks - appreciate the info. Still, I would like to understand why these denials are occurring during what should be a pretty typical use case: namely sending emails from a web app. Does anyone have any insight into this?>If these denials do not interfere with the normal workflow >of the application you may add dontaudit rules to your local policy. >The unnecessary access will still be denied but you won't get >these annoying messages in the logs. > >There's a plenty of dontaudit rules in the base policy >shipped with centos. If you're curious you may install >/usr/share/selinux/targeted/enableaudit.pp >which is a base policy with dontaudit rules turned off.