Bug 321641 - Calling sendmail from httpd (apache) in a CGI throws an apparently harmless denial
Calling sendmail from httpd (apache) in a CGI throws an apparently harmless d...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
5.1
All Linux
low Severity low
: ---
: ---
Assigned To: Joe Orton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-06 19:19 EDT by Max Kanat-Alexander
Modified: 2007-11-26 16:17 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-26 16:17:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Max Kanat-Alexander 2007-10-06 19:19:55 EDT
Whenever Bugzilla sends an email on my RHEL5 server, I get the following denial
in my audit log:

avc: denied { read } for comm="sendmail" dev=eventpollfs egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 items=0
name="[227910]" path="eventpoll:[227910]" pid=12526
scontext=root:system_r:system_mail_t:s0 sgid=51
subj=root:system_r:system_mail_t:s0 suid=48 tclass=file
tcontext=root:system_r:httpd_t:s0 tty=(none) uid=48

It seems harmless, as the email is still correctly sent.

Packages:
httpd-2.2.3-7.el5
sendmail-8.13.8-2.el5
selinux-policy-targeted-2.4.6-30.el5
Comment 1 Daniel Walsh 2007-10-08 10:50:12 EDT
This looks like leaked file descriptor from httpd_t.
Comment 2 Joe Orton 2007-10-24 04:21:11 EDT
Is this using mod_perl, or a pure CGI environment?
Comment 3 Max Kanat-Alexander 2007-10-24 06:25:30 EDT
Right now I'm using mod_perl.
Comment 4 Joe Orton 2007-11-09 10:57:12 EST
This sounds like expected behaviour then, processes which get fork/exec()ed
directly from an in-process script interpreter like mod_perl will inherit
whatever fds are open in the httpd child.


Comment 5 Daniel Walsh 2007-11-12 17:56:52 EST
No the mod_perl should not be leaking file descriptors.  These file descriptors
should be closed on exec.
Comment 7 Daniel Walsh 2007-11-26 16:17:31 EST
Well this can safely be ignored for now. If you want to get rid of the messages
you can execute 

# grep sendmail /var/log/audit/audit.log | audit2allow -M mysendmail
# semodule -i mysendmail.pp

We need to go through all of apache and FD_CLOEXEC all the open file
descritpors, but this is considered too dangerous for an update.  This should be
fixed in rawhide, and you have a work around to stop selinux from complaining.

Note You need to log in before you can comment on or make changes to this bug.