Bug 128784
Summary: | Postfix does not work with SELinux enforcing strict policy | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | W. Michael Petullo <redhat> | ||||
Component: | policy | Assignee: | Russell Coker <rcoker> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | chris.ricker, rcoker | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 1.18.2 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2004-11-08 01:43:38 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 123268, 136451 | ||||||
Attachments: |
|
Description
W. Michael Petullo
2004-07-29 15:34:18 UTC
Created attachment 103203 [details]
SELinux-related errors from /etc/init.d/postfix start
This seems to be somewhat fixed as of selinux-policy-strict-1.17.4-2. Outgoing
mail is processed correctly by postfix. However, when the postfix service
starts there are many SELinux errors logged. This attachment is a log
fragment.
There is a missing newline in the log (lines 2 and 3 are concatenated). The output of audit2allow is this: allow consoletype_t user_su_t:fifo_file { read }; allow postfix_master_t policy_src_t:dir { search }; allow postfix_master_t selinux_config_t:dir { search }; allow postfix_master_t user_su_t:fifo_file { read }; Assigning to policy to include these rules. With selinux-policy-strict-1.17.26-1, I now get: Oct 3 17:09:28 imp kernel: audit(1096841368.526:0): avc: denied { read } for pid=5685 exe=/sbin/consoletype path=pipe:[11205] dev=pipefs ino=11205 scontext=root:system_r:consoletype_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Oct 3 17:09:28 imp kernel: audit(1096841368.558:0): avc: denied { read } for pid=5686 exe=/usr/sbin/postalias path=pipe:[11205] dev=pipefs ino=11205 scontext=root:system_r:postfix_master_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Oct 3 17:09:28 imp kernel: audit(1096841368.595:0): avc: denied { write } for pid=5686 exe=/usr/sbin/postalias name=aliases.db dev=dm-0 ino=327759 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:etc_aliases_t tclass=file Oct 3 17:09:29 imp kernel: audit(1096841369.603:0): avc: denied { read } for pid=5687 exe=/usr/sbin/postfix path=pipe:[11205] dev=pipefs ino=11205 scontext=root:system_r:postfix_master_t tcontext=user_u:user_r:user_su_t tclass=fifo_fileOct 3 17:09:30 imp postfix: succeeded With selinux-policy-strict-1.17.30-2, I now get: Oct 20 21:23:11 imp kernel: audit(1098325391.124:0): avc: denied { write } for pid=26747 exe=/usr/sbin/postalias name=aliases.db dev=dm-0 ino=327759 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:etc_aliases_t tclass=file Oct 20 21:23:11 imp kernel: audit(1098325391.309:0): avc: denied { read } for pid=26751 exe=/bin/ls name=config dev=dm-0 ino=315075 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:selinux_config_t tclass=file Oct 20 21:23:11 imp kernel: audit(1098325391.310:0): avc: denied { getattr } for pid=26751 exe=/bin/ls path=/etc/selinux/config dev=dm-0 ino=315075 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:selinux_config_t tclass=file Oct 20 21:23:12 imp kernel: audit(1098325392.206:0): avc: denied { getattr } for pid=26762 exe=/bin/bash path=/usr/share/man/man1/mailq.postfix.1.gz dev=dm-0 ino=81854 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:man_t tclass=file With selinux-policy-strict-1.18.1 in Enforcing mode you should not be seeing these messages any longer. Mail seems to go through with selinux-policy-strict-1.18.1. I still get AVC errors, but they don't seem to affect mail delivery. I set the bug to resolved but will document the remaining (unimportant?) errors here: When stopping postfix: Nov 7 19:36:26 imp kernel: audit(1099877786.938:0): avc: denied { read } for pid=17639 exe=/sbin/consoletype path=pipe:[20453] dev=pipefs ino=20453 scontext=root:system_r:consoletype_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Nov 7 19:36:27 imp kernel: audit(1099877787.027:0): avc: denied { read } for pid=17640 exe=/usr/sbin/postfix path=pipe:[20453] dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t tcontext=user_u:user_r:user_su_t tclass=fifo_file When starting postfix: Nov 7 19:38:54 imp kernel: audit(1099877934.587:0): avc: denied { read } for pid=18630 exe=/sbin/consoletype path=pipe:[20453] dev=pipefs ino=20453 scontext=root:system_r:consoletype_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Nov 7 19:38:54 imp kernel: audit(1099877934.671:0): avc: denied { read } for pid=18633 exe=/usr/sbin/postalias path=pipe:[20453] dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Nov 7 19:38:54 imp kernel: audit(1099877934.703:0): avc: denied { search } for pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0 ino=195457 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:tmp_t tclass=dir Nov 7 19:38:54 imp kernel: audit(1099877934.704:0): avc: denied { search } for pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0 ino=195457 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:tmp_t tclass=dir Nov 7 19:38:54 imp kernel: audit(1099877934.704:0): avc: denied { search } for pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0 ino=195457 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:tmp_t tclass=dir Nov 7 19:38:54 imp kernel: audit(1099877934.721:0): avc: denied { read } for pid=18634 exe=/usr/sbin/postfix path=pipe:[20453] dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t tcontext=user_u:user_r:user_su_t tclass=fifo_file When processing outgoing mail: Nov 7 19:40:18 imp kernel: audit(1099878018.215:0): avc: denied { connect } for pid=18964 exe=/usr/sbin/xinetd laddr=127.0.0.1 lport=33392 scontext=system_u:system_r:inetd_t tcontext=system_u:system_r:inetd_t tclass=tcp_socket Nov 7 19:40:18 imp kernel: audit(1099878018.283:0): avc: denied { ioctl } for pid=18964 exe=/usr/sbin/stunnel path=/dev/urandom dev=tmpfs ino=1881 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file |