448333 – avc: denied { read write } for comm="sendmail" path="socket:[4722163]" dev=sockfs

Bug 448333 - avc: denied { read write } for comm="sendmail" path="socket:[4722163]" dev=sockfs

Summary: avc: denied { read write } for comm="sendmail" path="socket:[4722163]" dev=so...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-26 00:07 UTC by Robert Scheck
Modified:	2008-11-17 22:04 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-11-17 22:04:08 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
sealerts (10.44 KB, text/plain) 2008-06-14 11:44 UTC, Frank Murphy	no flags	Details
View All

Description Robert Scheck 2008-05-26 00:07:07 UTC

Description of problem:
Following AVC denied pops up for me when a script in /etc/cron.weekly causes 
output to STDOUT.

type=AVC msg=audit(1211686193.517:13630): avc:  denied  { read write } for  
pid=20139 comm="sendmail" path="socket:[4722163]" dev=sockfs ino=4722163 
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023 
tclass=unix_stream_socket
type=SYSCALL msg=audit(1211686193.517:13630): arch=40000003 syscall=11 
success=yes exit=0 a0=925b600 a1=925b728 a2=925aaa8 a3=0 items=0 ppid=20136 
pid=20139 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 
tty=(none) ses=2485 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" 
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-55

How reproducible:
Everytime, see above.

Actual results:
AVC denied

Expected results:
No AVC denied.

Comment 1 Robert Scheck 2008-05-26 00:33:39 UTC

Sorry, I've to correct myself. The script does something like this which seems
to cause the AVC denieds...

#!/usr/bin/php
<?php
mail("root@localhost", "Some subject", "Some body", "From: root@localhost\n");
?>

So is this AVC correct or not? PHP's mail() calls /usr/sbin/sendmail(.sendmail)
to send this mail then.

Comment 2 Daniel Walsh 2008-05-27 16:26:48 UTC

This looks like a leaked file descriptor from either php or cron.

Probably can be safely ignored.

I take it the mail was sent successfully.

Comment 3 Daniel Walsh 2008-05-27 16:27:21 UTC

Are you using ldap for authentication?

Comment 4 Robert Scheck 2008-05-27 22:00:53 UTC

I'm using no LDAP - anyway either allowed or silenced. In permissive, it is send 
anyway, but I've to much other things currently, that I can't enforce.

Comment 5 Daniel Walsh 2008-05-28 11:03:05 UTC

Ok not sure if it is necessary or not but I will allow it.

Fixed in selinux-policy-3.3.1-56.fc9

Comment 6 Frank Murphy 2008-06-14 11:44:37 UTC

Created attachment 309357 [details]
sealerts

restorecon -v '/'  
had no effect, avc still going mental as I type alert count up to 180+

Comment 7 Daniel Walsh 2008-06-16 10:45:23 UTC

Frank you have a process that is running as unlabeled_t.  You need to kill and
restart it.  Or reboot the machine,  Not sure how the process lost it's label.

Comment 8 Daniel Walsh 2008-11-17 22:04:08 UTC

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.