On Thu, 2012-05-03 at 11:04 -0400, Daniel J Walsh wrote: > On 05/03/2012 10:40 AM, Alan M. Evans wrote: > > On Thu, 2012-05-03 at 10:19 -0400, Daniel J Walsh wrote: > > > >> What AVC messages are you seeing? > > > > None now, as I said. But before I applied the local policy, the denials > > were: > > > > type=AVC msg=audit(1335990099.325:127749): avc: denied { getattr } for > > pid=17629 comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" > > dev=cciss!c0d0p1 ino=14811468 scontext=system_u:system_r:sendmail_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > > msg=audit(1335990099.326:127750): avc: denied { read } for pid=17629 > > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 > > scontext=system_u:system_r:sendmail_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > > msg=audit(1335990099.326:127750): avc: denied { open } for pid=17629 > > comm="php-cgi" name="email-cgi.php" dev=cciss!c0d0p1 ino=14811468 > > scontext=system_u:system_r:sendmail_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > > msg=audit(1335990099.326:127751): avc: denied { ioctl } for pid=17629 > > comm="php-cgi" path="/var/www/html/mydomain/email-cgi.php" dev=cciss!c0d0p1 > > ino=14811468 scontext=system_u:system_r:sendmail_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC > > msg=audit(1335990099.346:127752): avc: denied { write } for pid=17629 > > comm="php-cgi" name=".s.PGSQL.5432" dev=cciss!c0d0p1 ino=9568267 > > scontext=system_u:system_r:sendmail_t:s0 > > tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC > > msg=audit(1335990099.346:127752): avc: denied { connectto } for > > pid=17629 comm="php-cgi" path="/tmp/.s.PGSQL.5432" > > scontext=system_u:system_r:sendmail_t:s0 > > tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket > > > > I used these with audit2allow to make a local policy module. Since then, > > audit.log is completely silent when the script execution fails. > An email comes in and this then executes a cgi script which connects to posgresql? Yes. The DB that keeps the mailing list recipients is postgresql. I'm not entirely certain how it got that far, given that sendmail was denied read and open access on the script.