Bug 169233

Summary: postfix.te don't have enough rules for postfix
Product: [Fedora] Fedora Reporter: Gabriel Ramirez <gabriello.ramirez>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 1.27.1-2.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-29 13:28:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux rules to allow postfix to work
none
supercedes the first local.te I sent, because the first files is missing some rules none

Description Gabriel Ramirez 2005-09-25 18:42:22 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909 Fedora/1.0.6-1.2.fc4 Firefox/1.0.6

Description of problem:
Hi, 

I'm upgraded a fc4 machine to the lastest updates, and when I reboot the machine, the postfix daemon don't start, that was because /etc/aliases* were mislabeled and with restorecon I fix them.

but postfix was unable to receive any email because selinux was denying some accesses, 

my configuration fc4 all updated to 09-24-2005, postfix using procmail as delivery agent and spamassassin

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.1

How reproducible:
Always

Steps to Reproduce:
1.install or update to selinux-policy-targeted-1.27.1-2.1
2. use daemon postfix as mailer daemon
3.
  

Actual Results:  I waslossing my email

Additional info:

type=AVC msg=audit(1127588266.774:19): avc:  denied  { read } for  pid=2889 comm="pickup" name="CA.crt" dev=dm-0 ino=62304 scontext=system_u:system_r:postfix_pickup_t tcontext=system_u:object_r:cert_t tclass=file
type=AVC msg=audit(1127588277.090:31): avc:  denied  { read } for  pid=3033 comm="proxymap" name="CA.crt" dev=dm-0 ino=62304 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:cert_t tclass=file
type=AVC msg=audit(1127588277.104:33): avc:  denied  { read } for  pid=3032 comm="smtpd" name="CA.crt" dev=dm-0 ino=62304 scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:cert_t tclass=file
type=AVC msg=audit(1127588277.227:37): avc:  denied  { read } for  pid=3036 comm="trivial-rewrite" name="CA.crt" dev=dm-0 ino=62304 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:cert_t tclass=file
type=AVC msg=audit(1127588277.229:39): avc:  denied  { getattr } for  pid=3032 comm="smtpd" name="/" dev=md0 ino=2 scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:boot_t tclass=dir
type=AVC msg=audit(1127588277.229:40): avc:  denied  { getattr } for  pid=3032 comm="smtpd" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:home_root_t tclass=dir
type=AVC msg=audit(1127608152.949:1445): avc:  denied  { execute } for  pid=9679 comm="local" name="procmail" dev=dm-3 ino=554658 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:bin_t tclass=file
type=AVC msg=audit(1127608153.973:1446): avc:  denied  { search } for  pid=9680 comm="bounce" name="pki" dev=dm-0 ino=59052 scontext=root:system_r:postfix_bounce_t tcontext=system_u:object_r:cert_t tclass=dir
type=AVC msg=audit(1127608153.973:1447): avc:  denied  { read } for  pid=9680 comm="bounce" name="urandom" dev=tmpfs ino=1321 scontext=root:system_r:postfix_bounce_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file
type=AVC msg=audit(1127608153.973:1448): avc:  denied  { read } for  pid=9680 comm="bounce" name="random" dev=tmpfs ino=1319 scontext=root:system_r:postfix_bounce_t tcontext=system_u:object_r:random_device_t tclass=chr_file
type=AVC msg=audit(1127609630.377:1624): avc:  denied  { read } for  pid=11004 comm="local" name="cert.pem" dev=dm-0 ino=59209 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:cert_t tclass=lnk_file
type=AVC msg=audit(1127609280.973:1593): avc:  denied  { execute_no_trans } for  pid=10764 comm="local" name="procmail" dev=dm-3 ino=554658 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:bin_t tclass=file
type=AVC msg=audit(1127609630.393:1625): avc:  denied  { read } for  pid=11005 comm="local" name="procmail" dev=dm-3 ino=554658 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:bin_t tclass=file
type=AVC msg=audit(1127671984.140:4362): avc:  denied  { getattr } for  pid=23772 comm="bash" name="formail" dev=dm-3 ino=554655 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:bin_t tclass=file
type=AVC msg=audit(1127609807.543:1648): avc:  denied  { search } for  pid=11220 comm="procmail" name="spamassassin" dev=dm-0 ino=60669 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:etc_mail_t tclass=dir

Comment 1 Gabriel Ramirez 2005-09-25 18:46:52 UTC
Created attachment 119239 [details]
selinux rules to allow postfix to work

also I have nscd don't working I have to add the first two rules to fix it, I
don't write about it in the bug report, but when I see the local.te I remember
it

Comment 2 Gabriel Ramirez 2005-09-25 19:22:44 UTC
Created attachment 119241 [details]
supercedes the first local.te I sent, because the first files is missing some rules

Comment 3 Daniel Walsh 2005-09-27 19:43:46 UTC
Fixed in selinux-policy-targeted-1.27.1-2.3


Comment 4 Adam 2005-09-28 09:54:07 UTC
I have a similar problem - I'm using 1.27.1-2.2, and I have a second aliases
file in a users home directory. Postfix won't start with 'service postfix start'
but will start with /usr/sbin/postfix start. I get the following audit messages

type=AVC msg=audit(1127900117.911:87647): avc:  denied  { search } for 
pid=31585 comm="postalias" name="/" dev=dm-2 ino=2
scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:home_root_t
tclass=dir
type=SYSCALL msg=audit(1127900117.911:87647): arch=40000003 syscall=5 success=no
exit=-13 a0=bfca3f60 a1=0 a2=0 a3=bfca2f54 items=1 pid=31585 auid=501 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias"
exe="/usr/sbin/postalias"
type=CWD msg=audit(1127900117.911:87647):  cwd="/"
type=PATH msg=audit(1127900117.911:87647): item=0 name="/home/mud/etc/aliases"
flags=101  inode=2 dev=fd:02 mode=040755 ouid=0 ogid=0 rdev=00:00

I have the following file permissions

# ls -ldZ / /home /home/mud /home/mud/etc /home/mud/etc/aliases
drwxr-xr-x  root     root     system_u:object_r:root_t         /
drwxr-xr-x  root     root     system_u:object_r:home_root_t    /home
drwxrwsr-x  mud      mud      user_u:object_r:user_home_dir_t  /home/mud
drwxrwsr-x  mud      mud      user_u:object_r:user_home_t      /home/mud/etc
-rw-rw-r--  mud      mud      system_u:object_r:etc_aliases_t  /home/mud/etc/aliases

The audit2allow command recommends the following
# audit2allow -l -i audit.log
allow postfix_master_t home_root_t:dir search;
allow postfix_master_t unconfined_t:process signal;

Comment 5 Gabriel Ramirez 2005-09-28 18:27:55 UTC
(In reply to comment #3)
> Fixed in selinux-policy-targeted-1.27.1-2.3
> 

I downloaded it from testing-updates and I'm able to receive my emails, I
restarted the postfix daemon to be sure of any AVC messages, but none show up,
well only about search winbind_var_run_t, but don't have any ill effects from
that AVCs so it's fixed thanks

Comment 6 Gabriel Ramirez 2005-09-28 18:34:17 UTC
(In reply to comment #4)
> I have a similar problem - I'm using 1.27.1-2.2, and I have a second aliases
> file in a users home directory. Postfix won't start with 'service postfix start'
> but will start with /usr/sbin/postfix start. I get the following audit messages
> 
> type=AVC msg=audit(1127900117.911:87647): avc:  denied  { search } for 
> pid=31585 comm="postalias" name="/" dev=dm-2 ino=2
> scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:home_root_t
> tclass=dir
> type=SYSCALL msg=audit(1127900117.911:87647): arch=40000003 syscall=5 success=no
> exit=-13 a0=bfca3f60 a1=0 a2=0 a3=bfca2f54 items=1 pid=31585 auid=501 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias"
> exe="/usr/sbin/postalias"
> type=CWD msg=audit(1127900117.911:87647):  cwd="/"
> type=PATH msg=audit(1127900117.911:87647): item=0 name="/home/mud/etc/aliases"
> flags=101  inode=2 dev=fd:02 mode=040755 ouid=0 ogid=0 rdev=00:00
> 
> I have the following file permissions
> 
> # ls -ldZ / /home /home/mud /home/mud/etc /home/mud/etc/aliases
> drwxr-xr-x  root     root     system_u:object_r:root_t         /
> drwxr-xr-x  root     root     system_u:object_r:home_root_t    /home
> drwxrwsr-x  mud      mud      user_u:object_r:user_home_dir_t  /home/mud
> drwxrwsr-x  mud      mud      user_u:object_r:user_home_t      /home/mud/etc
> -rw-rw-r--  mud      mud      system_u:object_r:etc_aliases_t 
/home/mud/etc/aliases
> 
> The audit2allow command recommends the following
> # audit2allow -l -i audit.log
> allow postfix_master_t home_root_t:dir search;
> allow postfix_master_t unconfined_t:process signal;

 You can try the 1.27.1-2.3 version, but I'm almost sure you will have to add
some rules you will need install selinux-policy-targeted-sources and edit
/etc/selinux/targeted/src/policy/domains/misc/local.te and after that move to
/etc/selinux/targeted/src/policy/domains/ and type make load

Comment 7 Daniel Walsh 2005-09-29 13:28:55 UTC
The goal with SELinux is to protect the userspace from the system space, so
allowing postfix to read users home directories is not something we want to do,
or if we do allow it, it would need a boolean.

Comment 8 Gabriel Ramirez 2005-10-02 22:11:31 UTC
I installed selinux-policy-targeted-1.27.1-2.3 in a Thinkpad, it was running
1.25  but I tried to restart postfix with
service postfix restart 
three times and all of them reported [Failed]
in audit.log I found this
type=AVC msg=audit(1127938138.969:57): avc:  denied  { signal } for  pid=9283 co
mm="postfix-script" scontext=system_u:system_r:postfix_master_t tcontext=system_
u:system_r:initrc_t tclass=process

I don't touch the policy and rebooted the machine, and postfix started well, 
my question is I have to restart the machine always after update the
selinux-policy? thanks in advance

Comment 9 Daniel Walsh 2005-10-03 13:41:08 UTC
No you should not need to reboot the machine.  I am not sure what caused this
problem.