New "postdrop" denial

Paul Howarth paul at city-fan.org
Fri Feb 26 10:57:18 UTC 2010 

On 26/02/10 10:39, Richard Chapman wrote:
> I have seen this denial twice in the last few days - and I think it is
> new to my system. I'm not sure whether recent updates have caused it -
> or whether my system has entered a new phase for some other reason. I
> can't think of any obvious changes I have made. Any suggestions would be
> welcome:
>
> Summary
> SELinux is preventing postdrop (postfix_postdrop_t) "getattr" to
> /var/log/httpd/error_log (httpd_log_t).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but
> was permitted due to permissive mode.]
>
> SELinux denied access requested by postdrop. It is not expected that
> this access is required by postdrop and this access may signal an
> intrusion attempt. It is also possible that the specific version or
> configuration of the application is causing it to require additional
> access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore the default system file context for /var/log/httpd/error_log,
>
> restorecon -v '/var/log/httpd/error_log'
>
> If this does not work, there is currently no automatic way to allow this
> access. Instead, you can generate a local policy module to allow this
> access - see FAQ
> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385>  Or you can
> disable SELinux protection altogether. Disabling SELinux protection is
> not recommended. Please file a bug report
> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi>  against this package.
>
> Additional Information
>
> Source Context:   	system_u:system_r:postfix_postdrop_t
> Target Context:   	system_u:object_r:httpd_log_t
> Target Objects:   	/var/log/httpd/error_log [ file ]
> Source:   	postdrop
> Source Path:   	/usr/sbin/postdrop
> Port:   	<Unknown>
> Host:   	C5.aardvark.com.au
> Source RPM Packages:   	postfix-2.3.3-2.1.el5_2
> Target RPM Packages:   	
> Policy RPM:   	selinux-policy-2.4.6-255.el5_4.4
> Selinux Enabled:   	True
> Policy Type:   	targeted
> MLS Enabled:   	True
> Enforcing Mode:   	Permissive
> Plugin Name:   	catchall_file
> Host Name:   	C5.aardvark.com.au
> Platform:   	Linux C5.aardvark.com.au 2.6.18-164.11.1.el5 #1 SMP Wed Jan
> 20 07:32:21 EST 2010 x86_64 x86_64
> Alert Count:   	4
> First Seen:   	Wed Jan 13 16:49:57 2010
> Last Seen:   	Wed Feb 24 11:42:04 2010
> Local ID:   	f532f021-830c-4b05-8175-8a6887dd132b
> Line Numbers:   	
>
> Raw Audit Messages :
>
> host=C5.aardvark.com.au type=AVC msg=audit(1266982924.689:25356): avc:
> denied { getattr } for pid=14542 comm="postdrop"
> path="/var/log/httpd/error_log" dev=dm-0 ino=29360282
> scontext=system_u:system_r:postfix_postdrop_t:s0
> tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1266982924.689:25356):
> arch=c000003e syscall=5 success=yes exit=0 a0=2 a1=7fff9da1f600
> a2=7fff9da1f600 a3=0 items=0 ppid=14541 pid=14542 auid=4294967295 uid=48
> gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none)
> ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop"
> subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)

I would guess that this is a leaked file descriptor from httpd and the 
AVC is triggered when a webapp you're running on this system sends some 
mail.

Paul.

More information about the selinux mailing list