Bug 235808 - web interface of mailman triggers an avc denied message
Summary: web interface of mailman triggers an avc denied message
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-10 09:31 UTC by Peter Bieringer
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-17 15:47:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Peter Bieringer 2007-04-10 09:31:55 UTC
Description of problem:
avc denied message was found in log after reviewing logwatch summary.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.141

How reproducible:
Don't know

Actual results:
Mar 31 19:31:46 server audit(1175362306.303:70382): avc:  denied  { read write }
for  pid=5936 comm="admindb" name="[2399588]" dev=sockfs ino=2399588
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket

Expected results:
No such message

Comment 1 Peter Bieringer 2007-04-10 10:11:30 UTC
I found some more messages in March:

Mar 11 11:08:18 server audit(1173607698.202:4055): avc:  denied  { read write }
for  pid=5774 comm="admin" name="[2406546]" dev=sockfs ino=2406546
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 11 11:12:37 server audit(1173607957.761:4056): avc:  denied  { read write }
for  pid=6002 comm="admin" name="[2936225]" dev=sockfs ino=2936225
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 12 22:22:41 server audit(1173734561.351:4057): avc:  denied  { read write }
for  pid=2722 comm="options" name="[2930461]" dev=sockfs ino=2930461
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 12 22:29:13 server audit(1173734953.918:4058): avc:  denied  { read write }
for  pid=2966 comm="options" name="[2948636]" dev=sockfs ino=2948636
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 14 10:13:51 server audit(1173863631.443:4059): avc:  denied  { read write }
for  pid=3645 comm="admindb" name="[4138282]" dev=sockfs ino=4138282
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 14 10:29:35 server audit(1173864575.988:4060): avc:  denied  { read write }
for  pid=4396 comm="admindb" name="[2417587]" dev=sockfs ino=2417587
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 14 11:25:46 server audit(1173867946.809:4061): avc:  denied  { read write }
for  pid=6940 comm="admindb" name="[2397512]" dev=sockfs ino=2397512
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 14 12:12:17 server audit(1173870737.297:4062): avc:  denied  { read write }
for  pid=8995 comm="admindb" name="[4138282]" dev=sockfs ino=4138282
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 15 21:27:11 server audit(1173990431.131:4063): avc:  denied  { read write }
for  pid=810 comm="admindb" name="[2399588]" dev=sockfs ino=2399588
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 17 12:44:23 server audit(1174131863.683:4064): avc:  denied  { read write }
for  pid=10014 comm="listinfo" name="[2667608]" dev=sockfs ino=2667608
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 17 19:12:49 server audit(1174155169.412:4065): avc:  denied  { read write }
for  pid=26687 comm="listinfo" name="[2397824]" dev=sockfs ino=2397824
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 25 14:48:58 server audit(1174826938.433:24805): avc:  denied  { read write }
for  pid=26610 comm="admindb" name="[2930461]" dev=sockfs ino=2930461
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket
Mar 31 19:31:46 server audit(1175362306.303:70382): avc:  denied  { read write }
for  pid=5936 comm="admindb" name="[2399588]" dev=sockfs ino=2399588
scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t
tclass=tcp_socket

It's strange that I did not find such messages in timerange Dec to Feb. shown
selinux-policy-targeted was installed in September.

Comment 2 Daniel Walsh 2007-04-10 14:54:35 UTC
This could be a leaked file descriptor from httpd?

allow mailman_cgi_t httpd_t:tcp_socket { read write };

This says that your cgi script is trying to use the tcp_socket connection opened
in httpd_t.  Does the mailman_cgi_t work correctly despite this avc?

Comment 3 Peter Bieringer 2007-04-10 15:28:03 UTC
This system is also in permissive mode because of the other issue I had in
#178692, so nothing prevents mailman from working. I tried this now and
restarted httpd before (and adding my nscd rules), the shown messages are no
longer appear, while mailman web interface is still working.

BTW: while checking in enableaudit mode, I found that python also wants to
access nscd:
Apr 10 17:24:37 server audit(1176218677.119:143558): avc:  denied  { search }
for  pid=13594 comm="python" name="nscd" dev=md1 ino=464973
scontext=user_u:system_r:mailman_cgi_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir

Required ruleset:
allow mailman_cgi_t nscd_var_run_t:dir search;

Afterwards, I see only the three with dontaudit marked ones: noatsecure
rlimitinh siginh - looks like they have no impact at all.



Comment 4 Daniel Walsh 2007-04-10 16:05:06 UTC
I believe all of the nscd_var_run_t messages would be dontaudited also,  You are
running with the make enableaudit.



Comment 5 Peter Bieringer 2007-04-11 08:08:36 UTC
Yes, selinux runs in enableaudit in this case. But why are this events
suppressed by "dontaudit" instead of adding related ruleset? As we learnt from
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178692 such missing ruleset
can lead to very unexpected behavior.

Comment 6 Daniel Walsh 2007-04-11 13:29:22 UTC
We want the tools to use the nscd socket rather then other mechanisms for
communicating with ncsd, which are potentially more dangerous for two confined
domains to attack each other.  nscd attempts to use shared memory first gets a
denied access and falls back to using the socket.   (At least that is the way I
understand it.)


Note You need to log in before you can comment on or make changes to this bug.