Whenever Bugzilla sends an email on my RHEL5 server, I get the following denial in my audit log: avc: denied { read } for comm="sendmail" dev=eventpollfs egid=51 euid=48 exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 items=0 name="[227910]" path="eventpoll:[227910]" pid=12526 scontext=root:system_r:system_mail_t:s0 sgid=51 subj=root:system_r:system_mail_t:s0 suid=48 tclass=file tcontext=root:system_r:httpd_t:s0 tty=(none) uid=48 It seems harmless, as the email is still correctly sent. Packages: httpd-2.2.3-7.el5 sendmail-8.13.8-2.el5 selinux-policy-targeted-2.4.6-30.el5
This looks like leaked file descriptor from httpd_t.
Is this using mod_perl, or a pure CGI environment?
Right now I'm using mod_perl.
This sounds like expected behaviour then, processes which get fork/exec()ed directly from an in-process script interpreter like mod_perl will inherit whatever fds are open in the httpd child.
No the mod_perl should not be leaking file descriptors. These file descriptors should be closed on exec.
Well this can safely be ignored for now. If you want to get rid of the messages you can execute # grep sendmail /var/log/audit/audit.log | audit2allow -M mysendmail # semodule -i mysendmail.pp We need to go through all of apache and FD_CLOEXEC all the open file descritpors, but this is considered too dangerous for an update. This should be fixed in rawhide, and you have a work around to stop selinux from complaining.