Description of problem: avc denied message was found in log after reviewing logwatch summary. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.141 How reproducible: Don't know Actual results: Mar 31 19:31:46 server audit(1175362306.303:70382): avc: denied { read write } for pid=5936 comm="admindb" name="[2399588]" dev=sockfs ino=2399588 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Expected results: No such message
I found some more messages in March: Mar 11 11:08:18 server audit(1173607698.202:4055): avc: denied { read write } for pid=5774 comm="admin" name="[2406546]" dev=sockfs ino=2406546 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 11 11:12:37 server audit(1173607957.761:4056): avc: denied { read write } for pid=6002 comm="admin" name="[2936225]" dev=sockfs ino=2936225 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 12 22:22:41 server audit(1173734561.351:4057): avc: denied { read write } for pid=2722 comm="options" name="[2930461]" dev=sockfs ino=2930461 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 12 22:29:13 server audit(1173734953.918:4058): avc: denied { read write } for pid=2966 comm="options" name="[2948636]" dev=sockfs ino=2948636 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 14 10:13:51 server audit(1173863631.443:4059): avc: denied { read write } for pid=3645 comm="admindb" name="[4138282]" dev=sockfs ino=4138282 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 14 10:29:35 server audit(1173864575.988:4060): avc: denied { read write } for pid=4396 comm="admindb" name="[2417587]" dev=sockfs ino=2417587 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 14 11:25:46 server audit(1173867946.809:4061): avc: denied { read write } for pid=6940 comm="admindb" name="[2397512]" dev=sockfs ino=2397512 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 14 12:12:17 server audit(1173870737.297:4062): avc: denied { read write } for pid=8995 comm="admindb" name="[4138282]" dev=sockfs ino=4138282 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 15 21:27:11 server audit(1173990431.131:4063): avc: denied { read write } for pid=810 comm="admindb" name="[2399588]" dev=sockfs ino=2399588 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 17 12:44:23 server audit(1174131863.683:4064): avc: denied { read write } for pid=10014 comm="listinfo" name="[2667608]" dev=sockfs ino=2667608 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 17 19:12:49 server audit(1174155169.412:4065): avc: denied { read write } for pid=26687 comm="listinfo" name="[2397824]" dev=sockfs ino=2397824 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 25 14:48:58 server audit(1174826938.433:24805): avc: denied { read write } for pid=26610 comm="admindb" name="[2930461]" dev=sockfs ino=2930461 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Mar 31 19:31:46 server audit(1175362306.303:70382): avc: denied { read write } for pid=5936 comm="admindb" name="[2399588]" dev=sockfs ino=2399588 scontext=user_u:system_r:mailman_cgi_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket It's strange that I did not find such messages in timerange Dec to Feb. shown selinux-policy-targeted was installed in September.
This could be a leaked file descriptor from httpd? allow mailman_cgi_t httpd_t:tcp_socket { read write }; This says that your cgi script is trying to use the tcp_socket connection opened in httpd_t. Does the mailman_cgi_t work correctly despite this avc?
This system is also in permissive mode because of the other issue I had in #178692, so nothing prevents mailman from working. I tried this now and restarted httpd before (and adding my nscd rules), the shown messages are no longer appear, while mailman web interface is still working. BTW: while checking in enableaudit mode, I found that python also wants to access nscd: Apr 10 17:24:37 server audit(1176218677.119:143558): avc: denied { search } for pid=13594 comm="python" name="nscd" dev=md1 ino=464973 scontext=user_u:system_r:mailman_cgi_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Required ruleset: allow mailman_cgi_t nscd_var_run_t:dir search; Afterwards, I see only the three with dontaudit marked ones: noatsecure rlimitinh siginh - looks like they have no impact at all.
I believe all of the nscd_var_run_t messages would be dontaudited also, You are running with the make enableaudit.
Yes, selinux runs in enableaudit in this case. But why are this events suppressed by "dontaudit" instead of adding related ruleset? As we learnt from https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178692 such missing ruleset can lead to very unexpected behavior.
We want the tools to use the nscd socket rather then other mechanisms for communicating with ncsd, which are potentially more dangerous for two confined domains to attack each other. nscd attempts to use shared memory first gets a denied access and falls back to using the socket. (At least that is the way I understand it.)