[SOLVED] [SELinux] Sendmail Trying to Access WordFence Files (WordPress)

Support for security such as Firewalls and securing linux
Post Reply
caboloco
Posts: 2
Joined: 2019/03/05 17:39:28

[SOLVED] [SELinux] Sendmail Trying to Access WordFence Files (WordPress)

Post by caboloco » 2019/03/05 17:53:19

We are running WordPress and are using the WordFence plugin for added security. For some reason, every time WordFence sends an alert email, Sendmail tries to access certain WordFence files.

The email gets sent out without issue, however there are errors in the SELinux audit log regarding Sendmail trying to access the WordFence files.

I'm trying to understand why this is happening. I can't think of a legitimate reason why Sendmail would need to access these files. Maybe this is related to file descriptor leaks? Any insight would be appreciated.

Current Setup:
PHP-FPM with Nginx

SELinux Status

Code: Select all

sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Code: Select all

httpd_can_sendmail --> on
SEcontext and permissions on files

Code: Select all

[wp-content]# ls -alZ wflogs
drwxr-xr-x. php-fpm php-fpm   unconfined_u:object_r:httpd_sys_rw_content_t:s0 .
drwxrwxr-x. php-fpm php-fpm   unconfined_u:object_r:httpd_sys_rw_content_t:s0 ..
-rw-------. php-fpm php-fpm system_u:object_r:httpd_sys_rw_content_t:s0 attack-data.php
-rw-------. php-fpm php-fpm system_u:object_r:httpd_sys_rw_content_t:s0 config-livewaf.php
-rw-------. php-fpm php-fpm system_u:object_r:httpd_sys_rw_content_t:s0 config.php
-rw-------. php-fpm php-fpm system_u:object_r:httpd_sys_rw_content_t:s0 config-synced.php
-rw-------. php-fpm php-fpm system_u:object_r:httpd_sys_rw_content_t:s0 config-transient.php
-rw-r--r--. php-fpm php-fpm system_u:object_r:httpd_sys_rw_content_t:s0 GeoLite2-Country.mmdb
-rw-r--r--. php-fpm php-fpm   unconfined_u:object_r:httpd_sys_rw_content_t:s0 .htaccess
-rw-------+ php-fpm php-fpm   unconfined_u:object_r:httpd_sys_rw_content_t:s0 ips.php
-rw-r--r--. php-fpm php-fpm system_u:object_r:httpd_sys_rw_content_t:s0 rules.php
-rw-------. php-fpm php-fpm system_u:object_r:httpd_sys_rw_content_t:s0 template.php
From the SELinux audit logs:

Code: Select all

time->Tue Mar  5 08:46:43 2019
type=PROCTITLE msg=audit(1551800803.236:305729): proctitle=2F7573722F7362696E2F73656E646D61696C002D74002D69
type=SYSCALL msg=audit(1551800803.236:305729): arch=c000003e syscall=59 success=yes exit=0 a0=2550a90 a1=2550b60 a2=254fab0 a3=7ffd00fc8960 items=0 ppid=28697 pid=27626 auid=4294967295 uid=995 gid=993 euid=995 suid=995 fsuid=995 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null)
type=AVC msg=audit(1551800803.236:305729): avc:  denied  { read } for  pid=27626 comm="sendmail" path="/var/www/vhosts/wordpress/wp-content/wflogs/GeoLite2-Country.mmdb" dev="dm-0" ino=556519 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1551800803.236:305729): avc:  denied  { read write } for  pid=27626 comm="sendmail" path="/var/www/vhosts/wordpress/wp-content/wflogs/config-transient.php" dev="dm-0" ino=556541 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1551800803.236:305729): avc:  denied  { read write } for  pid=27626 comm="sendmail" path="/var/www/vhosts/wordpress/wp-content/wflogs/config-livewaf.php" dev="dm-0" ino=556502 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1551800803.236:305729): avc:  denied  { read write } for  pid=27626 comm="sendmail" path="/var/www/vhosts/wordpress/wp-content/wflogs/config-synced.php" dev="dm-0" ino=900838 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1551800803.236:305729): avc:  denied  { read write } for  pid=27626 comm="sendmail" path="/var/www/vhosts/wordpress/wp-content/wflogs/attack-data.php" dev="dm-0" ino=900837 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1551800803.236:305729): avc:  denied  { read write } for  pid=27626 comm="sendmail" path="/var/www/vhosts/wordpress/wp-content/wflogs/config.php" dev="dm-0" ino=588781 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1551800803.236:305729): avc:  denied  { read write } for  pid=27626 comm="sendmail" path="/var/www/vhosts/wordpress/wp-content/wflogs/ips.php" dev="dm-0" ino=556517 scontext=system_u:system_r:system_mail_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
Last edited by caboloco on 2019/03/11 17:23:48, edited 1 time in total.

caboloco
Posts: 2
Joined: 2019/03/05 17:39:28

[SOLVED] [SELinux] Sendmail Trying to Access WordFence Files

Post by caboloco » 2019/03/11 17:21:25

Turns out it was open file descriptors.

Post Reply