Bug 435871

Summary: SELinux is preventing createaccount.c (httpd_bugzilla_script_t) "name_connect" to (smtp_port_t).
Product: [Fedora] Fedora Reporter: Adrin Jalali <adrin.jalali>
Component: selinux-policy-mlsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: low    
Version: 8CC: cje, jonstanley, tuju
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:03:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adrin Jalali 2008-03-04 07:40:21 UTC 
Description of problem:
SELinux denied access requested by createaccount.c. It is not expected that this
access is required by createaccount.c and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing AccessYou can generate a local policy module to allow this access - see
FAQ Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.Additional InformationSource
Context:  system_u:system_r:httpd_bugzilla_script_t:s0Target
Context:  system_u:object_r:smtp_port_t:s0Target Objects:  None [ tcp_socket
]Affected RPM Packages:  Policy RPM:  selinux-policy-3.0.8-84.fc8Selinux
Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing
Mode:  PermissivePlugin Name:  plugins.catchallHost
Name:  localhost.localdomainPlatform:  Linux localhost.localdomain
2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:48:34 EST 2008 i686 i686Alert
Count:  1First Seen:  Tue 04 Mar 2008 11:03:51 AM IRSTLast Seen:  Tue 04 Mar
2008 11:03:51 AM IRSTLocal ID:  e9303818-2d1c-49b6-89e5-bb124303c23eLine
Numbers:  Raw Audit Messages :avc: denied { name_connect } for
comm=createaccount.c dest=25 egid=48 euid=48 exe=/usr/bin/perl exit=-115
fsgid=48 fsuid=48 gid=48 items=0 pid=21369
scontext=system_u:system_r:httpd_bugzilla_script_t:s0 sgid=48
subj=system_u:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=tcp_socket
tcontext=system_u:object_r:smtp_port_t:s0 tty=(none) uid=48
Comment 1 cje 2008-03-07 19:17:14 UTC 
this probably needs to be moved to component selinx-policy-mls.
Comment 2 Jon Stanley 2008-05-25 05:38:24 UTC 
Changing component from bugzilla to selinux-policy-mls
Comment 3 Jon Stanley 2008-05-25 05:42:40 UTC 
Forgot to click the reassignment button.
Comment 4 Daniel Walsh 2008-05-27 16:18:46 UTC 
Is bugzilla allowed to send email?
Comment 5 John Berninger 2008-05-27 17:01:57 UTC 
Yes - bugzilla can be configured to send email for any of several reasons.  It
is an expected behavior of the package.
Comment 6 Daniel Walsh 2008-05-27 19:37:37 UTC 
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-107.fc8
Comment 7 Daniel Walsh 2008-11-17 22:03:14 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.