Bug 128784

Summary: Postfix does not work with SELinux enforcing strict policy
Product: [Fedora] Fedora Reporter: W. Michael Petullo <redhat>
Component: policyAssignee: Russell Coker <rcoker>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: chris.ricker, rcoker
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.18.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-11-08 01:43:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 123268, 136451    
Attachments:
Description Flags
SELinux-related errors from /etc/init.d/postfix start none

Description W. Michael Petullo 2004-07-29 15:34:18 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7)
Gecko/20040625 Epiphany/1.2.6

Description of problem:
Postfix does not properly process outgoing mail when SELinux is
enforcing its strict policy (selinux-policy-strict-1.15.5-2).

Version-Release number of selected component (if applicable):
postfix-2.1.1-3.1

How reproducible:
Always

Steps to Reproduce:
1.  Configure postfix to use a relayhost.

2.  Try to send a mail using mutt and watch the system logs.

Actual Results:  The email does not go out.  The following is logged:

Jul 29 10:13:17 imp kernel: audit(1091113997.867:0): avc:  denied  {
read } for  pid=3479 exe=/usr/sbin/sendmail.postfix path=pipe:[6225]
dev=pipefs ino=6225 scontext=root:sysadm_r:sysadm_mail_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file


Expected Results:  The email should go out and no errors should be logged.

Additional info:

Everything works fine when SELinux is not enforcing its policy.

I am relaying through a tunnel provided by stunnel from localhost to
my mail server.  I don't think this is relevant to this bug.  However,
I can provide more information about my configuration if it is needed.
Comment 1 W. Michael Petullo 2004-08-28 15:08:36 UTC 
Created attachment 103203 [details]
SELinux-related errors from /etc/init.d/postfix start

This seems to be somewhat fixed as of selinux-policy-strict-1.17.4-2.  Outgoing
mail is processed correctly by postfix.  However, when the postfix service
starts there are many SELinux errors logged.  This attachment is a log
fragment.
Comment 2 Thomas Woerner 2004-09-08 08:59:18 UTC 
There is a missing newline in the log (lines 2 and 3 are concatenated).

The output of audit2allow is this:

allow consoletype_t user_su_t:fifo_file { read };
allow postfix_master_t policy_src_t:dir { search };
allow postfix_master_t selinux_config_t:dir { search };
allow postfix_master_t user_su_t:fifo_file { read };

Assigning to policy to include these rules.
Comment 3 W. Michael Petullo 2004-10-03 22:08:12 UTC 
With selinux-policy-strict-1.17.26-1, I now get:

Oct  3 17:09:28 imp kernel: audit(1096841368.526:0): avc:  denied  {
read } for  pid=5685 exe=/sbin/consoletype path=pipe:[11205]
dev=pipefs ino=11205 scontext=root:system_r:consoletype_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Oct  3 17:09:28 imp kernel: audit(1096841368.558:0): avc:  denied  {
read } for  pid=5686 exe=/usr/sbin/postalias path=pipe:[11205]
dev=pipefs ino=11205 scontext=root:system_r:postfix_master_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Oct  3 17:09:28 imp kernel: audit(1096841368.595:0): avc:  denied  {
write } for  pid=5686 exe=/usr/sbin/postalias name=aliases.db dev=dm-0
ino=327759 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:etc_aliases_t tclass=file
Oct  3 17:09:29 imp kernel: audit(1096841369.603:0): avc:  denied  {
read } for  pid=5687 exe=/usr/sbin/postfix path=pipe:[11205]
dev=pipefs ino=11205 scontext=root:system_r:postfix_master_t
tcontext=user_u:user_r:user_su_t tclass=fifo_fileOct  3 17:09:30 imp
postfix:  succeeded
Comment 4 W. Michael Petullo 2004-10-21 02:21:55 UTC 
With selinux-policy-strict-1.17.30-2, I now get:

Oct 20 21:23:11 imp kernel: audit(1098325391.124:0): avc:  denied  {
write } for  pid=26747 exe=/usr/sbin/postalias name=aliases.db
dev=dm-0 ino=327759 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:etc_aliases_t tclass=file
Oct 20 21:23:11 imp kernel: audit(1098325391.309:0): avc:  denied  {
read } for  pid=26751 exe=/bin/ls name=config dev=dm-0 ino=315075
scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Oct 20 21:23:11 imp kernel: audit(1098325391.310:0): avc:  denied  {
getattr } for  pid=26751 exe=/bin/ls path=/etc/selinux/config dev=dm-0
ino=315075 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Oct 20 21:23:12 imp kernel: audit(1098325392.206:0): avc:  denied  {
getattr } for  pid=26762 exe=/bin/bash
path=/usr/share/man/man1/mailq.postfix.1.gz dev=dm-0 ino=81854
scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:man_t tclass=file
Comment 5 Daniel Walsh 2004-11-06 07:03:34 UTC 
With selinux-policy-strict-1.18.1 in Enforcing mode you should not be
seeing these messages any longer.
Comment 6 W. Michael Petullo 2004-11-08 01:43:38 UTC 
Mail seems to go through with selinux-policy-strict-1.18.1.

I still get AVC errors, but they don't seem to affect mail delivery. 
I set the bug to resolved but will document the remaining
(unimportant?) errors here:

When stopping postfix:

Nov  7 19:36:26 imp kernel: audit(1099877786.938:0): avc:  denied  {
read } for  pid=17639 exe=/sbin/consoletype path=pipe:[20453]
dev=pipefs ino=20453 scontext=root:system_r:consoletype_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Nov  7 19:36:27 imp kernel: audit(1099877787.027:0): avc:  denied  {
read } for  pid=17640 exe=/usr/sbin/postfix path=pipe:[20453]
dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file

When starting postfix:

Nov  7 19:38:54 imp kernel: audit(1099877934.587:0): avc:  denied  {
read } for  pid=18630 exe=/sbin/consoletype path=pipe:[20453]
dev=pipefs ino=20453 scontext=root:system_r:consoletype_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Nov  7 19:38:54 imp kernel: audit(1099877934.671:0): avc:  denied  {
read } for  pid=18633 exe=/usr/sbin/postalias path=pipe:[20453]
dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Nov  7 19:38:54 imp kernel: audit(1099877934.703:0): avc:  denied  {
search } for  pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0
ino=195457 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:tmp_t tclass=dir
Nov  7 19:38:54 imp kernel: audit(1099877934.704:0): avc:  denied  {
search } for  pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0
ino=195457 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:tmp_t tclass=dir
Nov  7 19:38:54 imp kernel: audit(1099877934.704:0): avc:  denied  {
search } for  pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0
ino=195457 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:tmp_t tclass=dir
Nov  7 19:38:54 imp kernel: audit(1099877934.721:0): avc:  denied  {
read } for  pid=18634 exe=/usr/sbin/postfix path=pipe:[20453]
dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file

When processing outgoing mail:

Nov  7 19:40:18 imp kernel: audit(1099878018.215:0): avc:  denied  {
connect } for  pid=18964 exe=/usr/sbin/xinetd laddr=127.0.0.1
lport=33392 scontext=system_u:system_r:inetd_t
tcontext=system_u:system_r:inetd_t tclass=tcp_socket
Nov  7 19:40:18 imp kernel: audit(1099878018.283:0): avc:  denied  {
ioctl } for  pid=18964 exe=/usr/sbin/stunnel path=/dev/urandom
dev=tmpfs ino=1881 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file