Hello-
System: Fedora Core 3, current
I am using a trouble ticketing system written in PHP (phpSupport) which uses
sendmail through
calling a perl script provided by the package. Every time phpSupport passes a
mail request to
sendmail, this audit appears:
Sep 27 12:43:34 apache02 kernel: audit(1127839414.326:11): avc: denied {
name_connect } for
pid=3948 comm="sendmail" dest=25 scontext=user_u:system_r:system_mail_t
tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket
In /var/log/maillog, sendmail logs this for the email transaction:
Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: from=apache, size=505,
class=0,
nrcpts=1, msgid=<200509271643.j8RGhYfY003948@xxxxxxxxxxxxxxxxx>,
relay=apache@localhost
Sep 27 12:43:34 apache02 sendmail[3948]: j8RGhYfY003948: to=aastaneh@xxxxxxxxx,
ctladdr=apache
(48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30505,
relay=[127.0.0.1] [127.0.0.1],
dsn=4.0.0, stat=Deferred: Permission denied
I have already submitted a bug report
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168874
and this problem was fixed in FC4... with no real note of fixing it for FC3.
I have already did a touch /.autorelabel and rebooted, but to no avail..
The only fix is to take the results of audit2allow and recompile policy (which
worked on my
development box).
I am a little wary of building policy from policy-sources on a production
machine in order to
insert dontaudit rules to stop this denial.. is it possible to build policy on
a development
server (with the exact architecture) and transplant it into the production
machine? If so- what
procedure must I follow?
Are there any other solutions?
Amin Astaneh
|
