[CentOS] CentOS 5.2 + SELinux + Apache/PHP + Postfix

Sat Aug 23 17:44:53 UTC 2008
Art Age Software <artagesw at gmail.com>

Hi All,

I'm running CentOS 5.2 with SELinux in enforcing mode (default
targeted policy). The server hosts a PHP web app that sends mail. I'm
getting the following errors (see end of message) in my selinux
audit.log file every time the app sends an email. The email always
seems to get sent successfully, despite the log messages. However,
they do concern me and I would like to understand what they mean and
why they occur.

The first set of messages seems to relate to postfix being denied
attempts to create/read/write a temporary file in Apache's context. In
the second set, it seems to postdrop is attempting to do something
with apache's error log file.

Can anyone help make sense of this? I know I can create policy rules
to allow these actions. But I don't want to do that without
understanding the implications. For reference, audit2allow suggests
the following policy additions:

#============= postfix_postdrop_t ==============
allow postfix_postdrop_t httpd_log_t:file getattr;

#============= system_mail_t ==============
allow system_mail_t httpd_t:file read;
allow system_mail_t httpd_tmp_t:file { read write };

Any help greatly appreciated.

Thanks!

Sam

-------------------------------------------------------------------------------------------

type=AVC msg=audit(1219458556.400:16996): avc:  denied  { read write }
for  pid=xxxxx comm="sendmail"
path=2F746D702F2E7863616368652E302E302E313236373935383634322E6C6F636B202864656C6574656429
dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
type=AVC msg=audit(1219458556.400:16996): avc:  denied  { read write }
for  pid=xxxxx comm="sendmail"
path=2F746D702F2E7863616368652E302E312E3534383639343233352E6C6F636B202864656C6574656429
dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
type=AVC msg=audit(1219458556.400:16996): avc:  denied  { read write }
for  pid=xxxxx comm="sendmail"
path=2F746D702F2E7863616368652E302E322E313236323334313837332E6C6F636B202864656C6574656429
dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
type=AVC msg=audit(1219458556.400:16996): avc:  denied  { read write }
for  pid=xxxxx comm="sendmail"
path=2F746D702F2E7863616368652E302E332E32313137303238332E6C6F636B202864656C6574656429
dev=dm-1 ino=xxxxx scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
type=AVC msg=audit(1219458556.400:16996): avc:  denied  { read } for
pid=xxxxx comm="sendmail" path="eventpoll:[xxxxx]" dev=eventpollfs
ino=xxxxx scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=file
type=SYSCALL msg=audit(1219458556.400:16996): arch=c000003e syscall=59
success=yes exit=0 a0=e04360 a1=e043e0 a2=e031a0 a3=3 items=0
ppid=xxxxx pid=xxxxx auid=xxx uid=xxx gid=xxx euid=xxx suid=xxx
fsuid=xxx egid=xxx sgid=xxx fsgid=xxx tty=(none) ses=1363
comm="sendmail" exe="/usr/sbin/sendmail.postfix"
subj=user_u:system_r:system_mail_t:s0 key=(null)
type=AVC msg=audit(1219458556.410:16997): avc:  denied  { getattr }
for  pid=xxxxx comm="postdrop" path="/var/log/httpd/error_log"
dev=dm-4 ino=xxxxx scontext=user_u:system_r:postfix_postdrop_t:s0
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1219458556.410:16997): arch=c000003e syscall=5
success=no exit=-13 a0=2 a1=7fffd0dbfa70 a2=7fffd0dbfa70 a3=0 items=0
ppid=xxxxx pid=xxxxx auid=xxx uid=xxx gid=xxx euid=xxx suid=xxx
fsuid=xxx egid=xxx sgid=xxx fsgid=xxx tty=(none) ses=1363
comm="postdrop" exe="/usr/sbin/postdrop"
subj=user_u:system_r:postfix_postdrop_t:s0 key=(null)

-------------------------------------------------------------------------------------------