Bug 435871 - SELinux is preventing createaccount.c (httpd_bugzilla_script_t) "name_connect" to (smtp_port_t).
SELinux is preventing createaccount.c (httpd_bugzilla_script_t) "name_connect...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-mls (Show other bugs)
8
All Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-04 02:40 EST by Adrin Jalali
Modified: 2008-11-17 17:03 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:03:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adrin Jalali 2008-03-04 02:40:21 EST
Description of problem:
SELinux denied access requested by createaccount.c. It is not expected that this
access is required by createaccount.c and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing AccessYou can generate a local policy module to allow this access - see
FAQ Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.Additional InformationSource
Context:  system_u:system_r:httpd_bugzilla_script_t:s0Target
Context:  system_u:object_r:smtp_port_t:s0Target Objects:  None [ tcp_socket
]Affected RPM Packages:  Policy RPM:  selinux-policy-3.0.8-84.fc8Selinux
Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing
Mode:  PermissivePlugin Name:  plugins.catchallHost
Name:  localhost.localdomainPlatform:  Linux localhost.localdomain
2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:48:34 EST 2008 i686 i686Alert
Count:  1First Seen:  Tue 04 Mar 2008 11:03:51 AM IRSTLast Seen:  Tue 04 Mar
2008 11:03:51 AM IRSTLocal ID:  e9303818-2d1c-49b6-89e5-bb124303c23eLine
Numbers:  Raw Audit Messages :avc: denied { name_connect } for
comm=createaccount.c dest=25 egid=48 euid=48 exe=/usr/bin/perl exit=-115
fsgid=48 fsuid=48 gid=48 items=0 pid=21369
scontext=system_u:system_r:httpd_bugzilla_script_t:s0 sgid=48
subj=system_u:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=tcp_socket
tcontext=system_u:object_r:smtp_port_t:s0 tty=(none) uid=48
Comment 1 cje 2008-03-07 14:17:14 EST
this probably needs to be moved to component selinx-policy-mls.
Comment 2 Jon Stanley 2008-05-25 01:38:24 EDT
Changing component from bugzilla to selinux-policy-mls
Comment 3 Jon Stanley 2008-05-25 01:42:40 EDT
Forgot to click the reassignment button.
Comment 4 Daniel Walsh 2008-05-27 12:18:46 EDT
Is bugzilla allowed to send email?
Comment 5 John Berninger 2008-05-27 13:01:57 EDT
Yes - bugzilla can be configured to send email for any of several reasons.  It
is an expected behavior of the package.
Comment 6 Daniel Walsh 2008-05-27 15:37:37 EDT
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-107.fc8
Comment 7 Daniel Walsh 2008-11-17 17:03:14 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.