Bug 321641 - Calling sendmail from httpd (apache) in a CGI throws an apparently harmless denial
Summary: Calling sendmail from httpd (apache) in a CGI throws an apparently harmless d...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd
Version: 5.1
Hardware: All
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Joe Orton
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-06 23:19 UTC by Max Kanat-Alexander
Modified: 2007-11-26 21:17 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-26 21:17:31 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Max Kanat-Alexander 2007-10-06 23:19:55 UTC
Whenever Bugzilla sends an email on my RHEL5 server, I get the following denial
in my audit log:

avc: denied { read } for comm="sendmail" dev=eventpollfs egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 items=0
name="[227910]" path="eventpoll:[227910]" pid=12526
scontext=root:system_r:system_mail_t:s0 sgid=51
subj=root:system_r:system_mail_t:s0 suid=48 tclass=file
tcontext=root:system_r:httpd_t:s0 tty=(none) uid=48

It seems harmless, as the email is still correctly sent.

Packages:
httpd-2.2.3-7.el5
sendmail-8.13.8-2.el5
selinux-policy-targeted-2.4.6-30.el5

Comment 1 Daniel Walsh 2007-10-08 14:50:12 UTC
This looks like leaked file descriptor from httpd_t.

Comment 2 Joe Orton 2007-10-24 08:21:11 UTC
Is this using mod_perl, or a pure CGI environment?

Comment 3 Max Kanat-Alexander 2007-10-24 10:25:30 UTC
Right now I'm using mod_perl.

Comment 4 Joe Orton 2007-11-09 15:57:12 UTC
This sounds like expected behaviour then, processes which get fork/exec()ed
directly from an in-process script interpreter like mod_perl will inherit
whatever fds are open in the httpd child.




Comment 5 Daniel Walsh 2007-11-12 22:56:52 UTC
No the mod_perl should not be leaking file descriptors.  These file descriptors
should be closed on exec.

Comment 7 Daniel Walsh 2007-11-26 21:17:31 UTC
Well this can safely be ignored for now. If you want to get rid of the messages
you can execute 

# grep sendmail /var/log/audit/audit.log | audit2allow -M mysendmail
# semodule -i mysendmail.pp

We need to go through all of apache and FD_CLOEXEC all the open file
descritpors, but this is considered too dangerous for an update.  This should be
fixed in rawhide, and you have a work around to stop selinux from complaining.


Note You need to log in before you can comment on or make changes to this bug.