On Thu, 2012-05-03 at 11:04 -0400, Daniel J Walsh wrote:
On 05/03/2012 10:40 AM, Alan M. Evans wrote:
On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote:
What AVC messages are you seeing?
None now, as I said. But before I applied the local policy, the denials were:
type=AVC msg=audit(1335990099.325:127749): avc: denied { getattr } for pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127750): avc: denied { read } for pid=17629 comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127750): avc: denied { open } for pid=17629 comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.326:127751): avc: denied { ioctl } for pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1335990099.346:127752): avc: denied { write } for pid=17629 comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1335990099.346:127752): avc: denied { connectto } for pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
I used these with audit2allow to make a local policy module. Since then, audit.log is completely silent when the script execution fails.
An email comes in and this then executes a cgi script which connects to posgresql?
Yes. The DB that keeps the mailing list recipients is postgresql. I'm not entirely certain how it got that far, given that sendmail was denied read and open access on the script.