From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 10 Nov 2012 17:50:17 +0100 Subject: [refpolicy] [PATCH 4/5] Dontaudit attempts by system_mail_t to use leaked fd or stream sockets In-Reply-To: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be> References: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1352566218-17772-5-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When fail2ban invokes sendmail to send out a mail event, denials such as the following ones occur, but without any consequence on the functioning itself (the mails are sent out correctly, no errors in logs): type=AVC msg=audit(1352348532.580:1313): avc: denied { read write } for pid=28042 comm="sendmail" path="socket:[1480]" dev="sockfs" ino=1480 scontext=system_u:system_r:system_mail_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket type=AVC msg=audit(1352348532.590:1314): avc: denied { use } for pid=28047 comm="postdrop" path="/dev/null" dev="devtmpfs" ino=3075 scontext=system_u:system_r:postfix_postdrop_t tcontext=system_u:system_r:fail2ban_t tclass=fd It looks like these are due to leaked file descriptors. Signed-off-by: Sven Vermeulen --- mta.te | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/mta.te b/mta.te index 712dbf5..11e7363 100644 --- a/mta.te +++ b/mta.te @@ -250,6 +250,8 @@ optional_policy(` optional_policy(` fail2ban_append_log(system_mail_t) + fail2ban_dontaudit_use_fds(system_mail_t) + fail2ban_dontaudit_rw_stream_sockets(system_mail_t) fail2ban_rw_inherited_tmp_files(system_mail_t) ') -- 1.7.8.6