Questions about some selinux audit messages

Tue Aug 21 13:43:20 UTC 2007

Hi everyone,

i get in all servers these audit messages:

Aug 21 14:17:34 casamerica kernel: audit(1187698654.515:356):avc:denied
{ append } for  pid=9416 comm="sendmail" name="error.log" dev=dm-0
ino=16416800 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

Aug 21 14:17:34 casamerica kernel: audit(1187698654.515:357):avc:denied
{ read write } for  pid=9416 comm="sendmail" name="[eventpoll]"
dev=anon_inodefs ino=393 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

Aug 21 14:17:34 casamerica kernel: audit(1187698654.599:358):avc:denied
{ append } for  pid=9417 comm="postdrop" name="error_log" dev=dm-0
ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
tcontext=root:object_r:httpd_log_t:s0 tclass=file

Aug 21 14:17:34 casamerica kernel: audit(1187698654.603:359):avc:denied
{ getattr } for  pid=9417 comm="postdrop" name="error_log" dev=dm-0
ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
tcontext=root:object_r:httpd_log_t:s0 tclass=file

Aug 21 14:26:58 casamerica kernel: audit(1187699218.244:360):avc:denied
{ append } for  pid=9448 comm="sendmail" name="error.log" dev=dm-0
ino=16416800 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

Aug 21 14:26:58 casamerica kernel: audit(1187699218.244:361):avc:denied
{ read write } for  pid=9448 comm="sendmail" name="[eventpoll]"
dev=anon_inodefs ino=393 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

Aug 21 14:26:58 casamerica kernel: audit(1187699218.253:362):avc:denied
{ append } for  pid=9449 comm="postdrop" name="error_log" dev=dm-0
ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
tcontext=root:object_r:httpd_log_t:s0 tclass=file

Aug 21 14:26:58 casamerica kernel: audit(1187699218.256:363):avc:denied
{ getattr } for  pid=9449 comm="postdrop" name="error_log" dev=dm-0
ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
tcontext=root:object_r:httpd_log_t:s0 tclass=file

Aug 21 15:36:34 w3host kernel: audit(1187703394.426:423): avc:denied
{ name_connect } for  pid=32151 comm="httpd" dest=5432
scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket

so, these are the messages. 

We have installed Fedora 6, x86_64
My questions are these:

1. Why postdrop try to read, append, get atribute the apache logs. Is
can be because we have installed Logwatch program. We get these in all
servers.

2. I have to allow postdrop to make what is needed with the logs, this
is secure and it will not be problem for something?

3. For the last one, httpd, try to connect to postgresql socket, why
this happen and is it secure?

4. I have to give this permission of httpd to connect to postgresql.

We have set postgresql to work on localhost and not to execute queries
from remote host and sites.

I will wait for your opinions, thanks in advanced.

Regards, Ali Nebi!